A JSON Web Token (JWT) is a compact, self-contained token format defined by RFC 7519. It encodes a set of claims as a JSON object and is digitally signed to ensure integrity. JWTs are widely used in authentication and authorization workflows across web applications and APIs.
How It Works
A JWT consists of three Base64URL-encoded parts separated by dots: a header, a payload, and a signature. The header specifies the signing algorithm (such as HMAC-SHA256 or RSA). The payload contains claims — key-value pairs that carry information like the user's identity, roles, expiration time, and issuer. The signature is computed over the header and payload using a secret key or a private key, depending on the algorithm.
When a user authenticates, the server generates a JWT and returns it to the client. The client then includes this token in subsequent requests, typically in the Authorization header. The server verifies the signature and reads the claims to determine whether the request should be authorized. Because the token is self-contained, the server does not need to query a database for session data on every request.
JWTs can use symmetric algorithms (where the same secret signs and verifies) or asymmetric algorithms (where a private key signs and a public key verifies). Asymmetric signing is common in distributed systems where multiple services need to verify tokens without sharing a secret.
Security Considerations
JWTs introduce several attack surfaces when implemented poorly. The none algorithm attack tricks servers into accepting unsigned tokens. Algorithm confusion attacks exploit implementations that allow the algorithm to be switched from asymmetric to symmetric, using the public key as the HMAC secret. Weak or leaked signing keys compromise every token ever issued with that key.
Token expiration must be enforced. Long-lived JWTs without refresh mechanisms give attackers extended windows of access if a token is stolen. Sensitive data should never be stored in the payload since the claims are only encoded, not encrypted, and anyone can decode them.
Why It Matters
JWTs are foundational to modern authentication. A misconfigured JWT implementation can grant attackers full access to user accounts and administrative functions. Understanding how tokens are signed, validated, and revoked is essential for building and testing secure systems.
Need your application tested? Get in touch.