JWT (JSON Web Token)
What is JWT (JSON Web Token)?
JWT (JSON Web Token)Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
A JSON Web Token is a string of three Base64URL-encoded parts joined by dots: header, payload, and signature. The header declares the signing algorithm, the payload carries claims such as iss, sub, aud, exp, and custom data, and the signature lets a recipient verify integrity and origin. JWTs may be signed (JWS) or encrypted (JWE) and are central to OAuth 2.0, OpenID Connect, and service-to-service authentication. Their stateless nature simplifies horizontal scaling but complicates revocation. Always pin the algorithm server-side, validate aud, iss, and exp, prefer short lifetimes, and pair with refresh tokens or token introspection.
● Examples
- 01
An OIDC ID token signed with RS256 returned to a single-page app.
- 02
An access token with claims { "sub": "u123", "scope": "read:profile", "exp": 1734567890 }.
● Frequently asked questions
What is JWT (JSON Web Token)?
Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers. It belongs to the Identity & Access category of cybersecurity.
What does JWT (JSON Web Token) mean?
Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
How does JWT (JSON Web Token) work?
A JSON Web Token is a string of three Base64URL-encoded parts joined by dots: header, payload, and signature. The header declares the signing algorithm, the payload carries claims such as iss, sub, aud, exp, and custom data, and the signature lets a recipient verify integrity and origin. JWTs may be signed (JWS) or encrypted (JWE) and are central to OAuth 2.0, OpenID Connect, and service-to-service authentication. Their stateless nature simplifies horizontal scaling but complicates revocation. Always pin the algorithm server-side, validate aud, iss, and exp, prefer short lifetimes, and pair with refresh tokens or token introspection.
How do you defend against JWT (JSON Web Token)?
Defences for JWT (JSON Web Token) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for JWT (JSON Web Token)?
Common alternative names include: JSON Web Token.
● Related terms
- appsec№ 575
JWT Vulnerabilities
Classes of implementation flaws in JSON Web Token validation that allow attackers to forge tokens, escalate privileges, or bypass authentication.
- identity-access№ 749
OAuth 2.0
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
- identity-access№ 760
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that lets clients verify a user's identity and obtain basic profile information via signed ID tokens.
- identity-access№ 007
Access Token
Short-lived credential issued by an authorization server that a client presents to an API to access protected resources on a user's or service's behalf.
- identity-access№ 913
Refresh Token
Long-lived credential used to obtain new short-lived access tokens from an OAuth 2.0 authorization server without prompting the user to log in again.
- identity-access№ 088
Bearer Token
An opaque or structured credential (RFC 6750) granting access to a resource simply by possession, without proof that the holder is the rightful owner.