JSON Web Token (JWT)
A JWT is a compact, self-contained token that carries claims about a user or entity in a structured format. It is digitally signed, allowing recipients to verify that the token is authentic and has not been modified.
# WHAT TEAMS RUN INTO
- —
JWT signature validation is sometimes skipped. An application receives a JWT, fails to validate the signature, and trusts the claims in the token. An attacker can forge a JWT with any claims.
- —
JWTs lack built-in revocation. If a JWT is compromised, it remains valid until it expires. There is no way to instantly invalidate a specific JWT without maintaining a blacklist.
- —
JWT claims can leak sensitive information. JWTs are base64-encoded, not encrypted. Anyone can decode a JWT and see the claims inside it, so JWTs should never contain secrets.
# WHY IT MATTERS
JWTs are a clever design — they let you pass claims about a user between systems without requiring both systems to query a shared database. But JWT security is fragile — it depends on correct signature validation, on not putting secrets inside JWTs, and on having a revocation mechanism for stolen tokens. JWTs make systems scalable but less secure if implemented carelessly.