JWT (JSON Web Token) is a compact, URL-safe token format that encodes claims as a JSON payload, signed to ensure integrity and optionally encrypted for confidentiality.
JWT
JWT (JSON Web Token) is a compact, URL-safe token format that encodes claims as a JSON payload, signed to ensure integrity and optionally encrypted for confidentiality.
Why It Matters
JWTs are the standard for session management and API authentication in modern applications. Misconfigured JWTs (weak signing, no expiration, exposed secrets) are a top OWASP API vulnerability and have led to major breaches.
How It Works
A JWT consists of three parts: header (algorithm), payload (claims like user ID, expiry), and signature. The server signs the token with a secret key. Clients include the JWT in requests; the server verifies the signature without a database lookup.
Best Practices
- Always set expiration (exp) claims
- Use strong signing algorithms (RS256 or ES256)
- Validate all claims on every request
- Never store sensitive data in JWT payloads (they're base64-encoded, not encrypted)
Common Mistakes
- Using the "none" algorithm (disables signature verification)
- Storing JWTs in localStorage (XSS vulnerability)
- Setting very long expiration times
- Not validating the issuer and audience claims
How ShieldKey Helps
ShieldKey uses session-based authentication with secure cookies rather than JWTs for its own auth. For API proxy tokens, Shield Tokens provide simpler, more secure access control than self-issued JWTs.
Try ShieldKey FreeFAQ
What is a JWT?
A JWT (JSON Web Token) is a signed token that carries claims (user identity, permissions, expiry) in a JSON payload. It's used for authentication without server-side session storage.