anavem.
Back to Glossary
J

JWT (JSON Web Token)

A JWT is a compact, digitally signed token used to securely transmit claims between parties, commonly for authentication and API authorization.

What is a JWT?

A JSON Web Token (JWT) is a standardized token format used to represent claims (information) in a compact and URL-safe way. JWTs are widely used in modern web, mobile, and API-based systems to authenticate users and authorize access without maintaining server-side session state. JWTs are typically signed (and sometimes encrypted) to ensure integrity and authenticity.

Why JWTs matter

JWTs are important because they:

  • Enable stateless authentication for scalable systems
  • Work well with APIs, microservices, and SPAs
  • Integrate seamlessly with OAuth and OpenID Connect
  • Reduce server-side session storage requirements

They are a core building block of cloud-native identity architectures.

JWT structure

A JWT consists of three Base64URL-encoded parts, separated by dots:

  1. Header

    • Token type (JWT)
    • Signing algorithm (e.g., HS256, RS256)

  2. Payload

    • Claims (e.g., user ID, roles, scopes, expiration)

  3. Signature

    • Verifies token integrity and issuer authenticity

Example structure: header.payload.signature.

Common JWT claims

Frequently used claims include:

  • iss (issuer)
  • sub (subject / user identifier)
  • aud (audience)
  • exp (expiration time)
  • iat (issued at)
  • scope / roles (authorization data)

Claims define who the token represents and what it can do.

JWT in authentication and authorization

JWTs are commonly used to:

  • Authenticate users after login
  • Authorize API requests
  • Carry OAuth access tokens
  • Enable single sign-on (SSO)
  • Support service-to-service authentication

They are often transmitted via HTTP headers (e.g., Authorization: Bearer <token>).

JWT vs session cookies

AspectJWTSession Cookie
StateStatelessServer-side state
StorageClient-sideServer-side
ScalabilityHighDepends on backend
RevocationHarderEasier
Exposure riskToken theftCookie theft

JWTs trade revocation simplicity for scalability.

JWT security risks

Misused JWTs can introduce serious risks:

  • Token theft leading to account takeover
  • Long-lived tokens acting as persistent access
  • Weak or misconfigured signing algorithms
  • Missing or unchecked claims
  • Tokens stored insecurely in browsers or logs

JWTs must be treated as credentials, not just data.

Securing JWTs

Best practices include:

  • Using strong signing algorithms (RS256 / ES256)
  • Enforcing short expiration times
  • Validating issuer, audience, and signature
  • Avoiding sensitive data in payloads
  • Rotating signing keys regularly
  • Implementing token revocation or introspection when needed

JWT security is closely tied to OAuth and IAM governance.

JWT and Zero Trust

In Zero Trust architectures:

  • JWTs provide context-aware access tokens
  • Claims are evaluated on every request
  • Access decisions are dynamic and risk-based

JWTs enable continuous verification rather than one-time login trust.

Common misconceptions

  • "JWTs are encrypted by default"
  • "JWT payloads are private"
  • "JWTs cannot be revoked"
  • "Any signing algorithm is safe"