What is a JWT?
JSON Web Tokens (JWTs) are the standard for stateless authentication in modern web applications. They consist of three parts separated by dots:
- Header: Algorithm and token type.
- Payload: The data (claims) like user ID, expiration, and roles.
- Signature: Cryptographic proof of integrity.
Common JWT Pitfalls
1. Trusting the "None" Algorithm
Some poorly implemented libraries allow the "none" algorithm, which lets attackers bypass signature verification. Always enforce specific algorithms (like HS256 or RS256) on your server.
2. Ignoring Expiration (exp)
Always check the exp claim. A token might be valid structurally but expired in time.
3. Storing Sensitive Data
The payload of a JWT is encoded, not encrypted. Anyone who sees the token can read the payload. Never store passwords or secrets in a JWT.
How to Inspect a JWT safely
You don't need the secret key to read a JWT's payload. You can use a client-side decoder to view the contents.
Warning: Never paste your production JWTs into untrusted online tools that might log them.
Use the Apicurl JWT Decoder. It runs entirely in your browser—your tokens never leave your device.
Checklist for Secure JWT Implementation
- [ ] Use HTTPS for all token transmission.
- [ ] Store tokens securely (HttpOnly cookies are recommended over localStorage).
- [ ] Implement token rotation and refresh tokens.
- [ ] Validate the
aud(audience) andiss(issuer) claims.