JWT

Jan 1, 0001

Definition

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

Secure Settings Example

{
  "alg": "RS256",
  "typ": "JWT",
  "claims": {
    "iss": "https://secure.example.com",
    "aud": "https://api.example.com",
    "exp": 1700000000,
    "nbf": 1600000000
  }
}

Use RS256 (RSA Signature with SHA-256) for signing, which is more secure than HS256.
Include exp (expiration) and nbf (not before) claims to limit the token’s validity period.

Insecure Settings Example

{
  "alg": "none",
  "typ": "JWT",
  "claims": {
    "iss": "https://example.com",
    "aud": "https://api.example.com"
  }
}

Using alg: "none" allows the token to be unsigned, making it vulnerable to tampering.
Missing exp and nbf claims can lead to tokens being valid indefinitely, increasing the risk of misuse.

JWT

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter