JSON Web Token (JWT)

JWT (JSON Web Token) is a compact, self-contained token format used to securely transmit information between parties as a JSON object that can be verified and trusted because it is digitally signed. Defined by RFC 7519, JWTs provide a stateless way to handle authentication and authorization in modern web applications, APIs, and microservices architectures. A JWT consists of three parts separated by dots: a header (containing the token type and signing algorithm), a payload (containing claims or statements about the user and additional metadata), and a signature (used to verify the token hasn’t been tampered with). The entire token is Base64URL-encoded, making it URL-safe and easy to transmit in HTTP headers, URL parameters, or cookies. Unlike opaque tokens that require a server to look up session data in a database, JWTs are self-contained—all the information needed to validate and use the token is embedded within it, allowing stateless authentication where servers don’t need to maintain session state. This makes JWTs particularly valuable in distributed systems, microservices, and mobile applications where scalability and reduced database lookups are important.

JWTs support multiple signing algorithms including HMAC (symmetric signing with a shared secret) and RSA/ECDSA (asymmetric signing with public/private key pairs), with the signature ensuring that the token content hasn’t been modified and verifying the issuer’s identity. The payload contains claims—standardized fields like iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), iat (issued at), and nbf (not before), along with custom claims for application-specific data like user roles, permissions, or profile information. When a user successfully authenticates, the server generates a JWT and sends it to the client, which then includes this token in subsequent requests (typically in the Authorization: Bearer header). The receiving service can validate the JWT’s signature, check its expiration, and extract claims without needing to query a database or call back to the authentication server, enabling fast, distributed authorization decisions. JWTs have become the de facto standard for OAuth 2.0 access tokens and are central to OpenID Connect ID tokens, used extensively in single sign-on systems, API authentication, mobile app sessions, and serverless architectures. However, because JWTs cannot be easily invalidated before expiration (since they’re stateless), best practices include using short expiration times, implementing token refresh mechanisms, maintaining token blacklists for critical security events, and never storing sensitive information in the payload since Base64 encoding is not encryption and anyone can decode and read the token’s contents.

License: Simplified BSD License

Tags: Authentication, Authorization, Security

Properties: JSON Web Token, Token Format, RFC 7519, IETF Standard, Self-Contained, Stateless, Digitally Signed, Compact Format, URL-Safe, Base64URL Encoded, Three-Part Structure, Header Section, Payload Section, Signature Section, Dot Separated, Header.Payload.Signature, Token Type, Algorithm Specification, Signing Algorithm, HMAC Support, HS256, HS384, HS512, RSA Support, RS256, RS384, RS512, ECDSA Support, ES256, ES384, ES512, PS256, PS384, PS512, Symmetric Signing, Asymmetric Signing, Shared Secret, Public-Private Keys, Digital Signature, Cryptographic Security, Tamper Proof, Integrity Verification, Authentication Token, Authorization Token, Claims-Based, Payload Claims, Registered Claims, Public Claims, Private Claims, Custom Claims, Issuer Claim, Subject Claim, Audience Claim, Expiration Time, Issued At, Not Before, JWT ID, Standard Claims, User Identity, User Roles, Permissions, Metadata, Context Information, Session Data, Token Expiration, Time-Limited, Short-Lived, Long-Lived, Refresh Tokens, Access Tokens, ID Tokens, Token Validation, Signature Verification, Expiration Checking, Issuer Validation, Audience Validation, Clock Skew Tolerance, NBF Validation, Algorithm Verification, Token Decoding, Base64 Decoding, JSON Parsing, Header Parsing, Payload Extraction, Claim Extraction, No Encryption, Readable Payload, Transparent Data, Public Information, No Sensitive Data, PII Warnings, Security Best Practices, Bearer Token, Authorization Header, HTTP Header, Cookie Storage, LocalStorage, SessionStorage, Mobile Storage, Secure Storage, Token Transmission, HTTPS Required, TLS Required, Secure Channel, Man-in-the-Middle Protection, Replay Attack Prevention, Token Theft Protection, XSS Vulnerability, CSRF Considerations, Token Revocation, Blacklist Support, Whitelist Support, Token Invalidation, Logout Handling, Forced Logout, Session Termination, Stateless Authentication, No Server State, No Session Storage, No Database Lookup, Distributed Systems, Microservices, Service-to-Service, API Authentication, REST API, GraphQL, gRPC Support, Mobile Apps, Single Page Applications, Native Apps, Web Applications, Server-Side Rendering, Client-Side Rendering, OAuth 2.0 Integration, OpenID Connect, OIDC ID Tokens, Access Token Format, Token Exchange, Token Delegation, Impersonation, On-Behalf-Of, Nested Tokens, Encrypted JWT, JWE Support, JSON Web Encryption, Content Encryption, Key Encryption, Compact Serialization, JSON Serialization, Flattened Serialization, Multi-Recipient, Key Management, Key Rotation, Key Distribution, JWKS Support, JSON Web Key Set, Public Key Discovery, Well-Known Endpoint, Key ID, Kid Header, Algorithm Header, Type Header, Content Type, Nested JWT, Token Chaining, Token Binding, Proof of Possession, Holder of Key, Certificate Bound, mTLS Binding, DPoP Support, Demonstrating Proof of Possession, Thumbprint, Token Fingerprint, Single Sign-On, SSO Token, Federation, Cross-Domain, CORS Support, Same-Site, Cross-Origin, Domain Restrictions, Scope Claims, Permission Claims, Role Claims, Group Claims, Tenant Claims, Organization Claims, Multi-Tenant, B2B Support, B2C Support, Enterprise Integration, Identity Provider, IdP Issued, Authorization Server, Token Endpoint, Introspection Endpoint, Userinfo Endpoint, Claims Transformation, Claim Mapping, Attribute Mapping, Profile Information, Email Claim, Name Claim, Picture Claim, Locale Claim, Timezone Claim, Phone Number, Address Claim, Custom Attributes, Application Metadata, Device Information, Location Data, IP Address, User Agent, Request Context, Zero Trust, Continuous Verification, Context-Aware, Risk-Based, Adaptive Authentication, Step-Up Auth, Elevated Privileges, MFA Claims, Authentication Method, AMR Claim, ACR Claim, Authentication Context, Assurance Level, Confidence Score, Trust Level, Verification Status, Compliance, GDPR Compliance, Privacy Protection, Data Minimization, Consent Management, Audit Logging, Token Logging, Security Events, Monitoring, Metrics, Performance, Scalability, High Volume, Throughput, Low Latency, Fast Validation, Efficient Processing, Minimal Overhead, Bandwidth Efficient, Small Payload, Compression Support, Token Size, Size Limitations, URL Length Limits, Header Size Limits, Cookie Size Limits, Optimization, Claim Reduction, Minimal Claims, Reference Tokens, Hybrid Approach, Token Cache, Validation Cache, Public Key Cache, Performance Tuning, Library Support, Language Support, JavaScript Libraries, Node.js Support, Python Support, Java Support, .NET Support, Go Support, Ruby Support, PHP Support, Rust Support, Mobile SDKs, iOS Support, Android Support, React Native, Flutter Support, Framework Integration, Express.js, Spring Security, ASP.NET Core, Django, Flask, Laravel, Rails, Passport.js, Auth0 Libraries, Okta SDKs, AWS Amplify, Firebase Auth, Supabase Auth, Testing Tools, Debugger Tools, jwt.io Decoder, Token Inspector, Validation Testing, Unit Testing, Integration Testing, Mock Tokens, Test Tokens, Development Mode, Production Mode, Environment Variables, Configuration Management, Secret Management, Vault Integration, HSM Support, Hardware Security, Key Storage, Secure Enclave, Keychain, Credential Manager, Standards Compliance, RFC Compliance, JOSE Standards, JSON Object Signing, Encryption Standards, Cryptographic Standards, Algorithm Requirements, Security Requirements, Best Current Practice, Security BCP, Threat Model, Attack Vectors, Vulnerabilities, Common Pitfalls, Algorithm Confusion, None Algorithm, Weak Algorithms, Key Exposure, Secret Leakage, Token Leakage, Debug Tokens, Logging Warnings, Error Handling, Exception Handling, Graceful Degradation, Fallback Mechanisms, Backward Compatibility, Forward Compatibility, Version Migration, Legacy Support, Deprecation, Algorithm Deprecation, Security Updates, Patch Management, Vulnerability Disclosure, CVE Tracking, Security Advisories, Industry Standard, Widely Adopted, Battle Tested, Mature Technology, Production Ready, Enterprise Grade, Mission Critical, High Security, Defense in Depth, Layered Security, Token Refresh, Refresh Flow, Silent Refresh, Sliding Expiration, Absolute Expiration, Grace Period, Token Renewal, Automatic Refresh, Refresh Token Rotation, Token Family, Device Binding, IP Binding, Browser Binding, Fingerprinting, Anti-Replay, Nonce Support, JTI Uniqueness, One-Time Use, Idempotency, Documentation, Specification, RFC Documents, Implementation Guides, Best Practices, Security Guidelines, Migration Guides, Code Examples, Sample Code, Reference Implementation, Open Source, Community Support, Stack Overflow, GitHub, Issue Tracking, Feature Requests, Contributions, Ecosystem, Tool Support, Debugger, Validator, Generator, Parser, Encoder, Decoder, Interoperability, Cross-Platform, Cross-Language, Protocol Agnostic, Transport Agnostic, Format Flexibility, Extensible, Custom Headers, Custom Claims, Application Specific, Domain Specific, Industry Specific, Use Case Specific, Versatile, Adaptable, Configurable, Customizable

Website: https://www.jwt.io/