Glossary · Definition
JWT
A JWT (JSON Web Token, pronounced 'jot') is a compact JSON token signed by an issuer. Three base64url-encoded parts joined with dots: header.payload.signature. Used for stateless auth, OIDC ID tokens, and signed messages between services.
Definition
A JWT (JSON Web Token, pronounced 'jot') is a compact JSON token signed by an issuer. Three base64url-encoded parts joined with dots: header.payload.signature. Used for stateless auth, OIDC ID tokens, and signed messages between services.
What it means
Header declares the algorithm (HS256, RS256, ES256) and token type. Payload is JSON claims — `sub` (subject), `iat` (issued at), `exp` (expires), `aud` (audience), plus app-specific keys. Signature is HMAC-SHA256 (HS) or RSA/ECDSA-SHA256 (RS/ES) of `header.payload`, using a secret (HS) or private key (RS/ES). The recipient verifies the signature with the matching key and trusts the claims. Tokens are NOT encrypted — anyone can base64-decode the payload. Use JWE if you need encryption, or just don't put sensitive data in claims.
Advertisement
Why it matters
JWTs are everywhere: OIDC ID tokens, session tokens in stateless APIs, signed URLs, service-to-service auth. The right uses are short-lived (5-15 minutes), with rotation. The wrong uses are 'session tokens that live forever' (you can't revoke them — at best you maintain a deny-list, defeating the point of stateless), or 'put the user's email + role in the payload and trust forever' (a stolen token is valid until expiry). JWT vulnerabilities are usually deployment errors: not verifying the signature, accepting the `none` algorithm, mixing HS and RS keys, or not validating `aud`/`iss`.
Frequently asked questions
Are JWTs encrypted?
Signed, not encrypted. Anyone with the token can read the payload via base64-decoding. JWE (encrypted) variants exist but are rarely used.
Where should I store JWTs?
httpOnly cookies for browser apps (XSS-safe). Authorization header for API clients. NOT localStorage — XSS-readable.
Can I revoke a JWT?
Not directly — that's the point of stateless tokens. Workarounds: short expiry (5-15min) + refresh token, or maintain a deny-list of revoked `jti` claims, or rotate the signing key (invalidates ALL tokens).
Related terms
- DefinitionOAuthOAuth is the open-standard protocol that lets a user grant a third-party app limited, scoped access to their account at another service — without sharing their password. 'Sign in with Google', GitHub OAuth apps, Slack-to-Notion integrations all run on OAuth 2.0.
- DefinitionHTTPSHTTPS is HTTP wrapped in a TLS-encrypted tunnel. Everything between your browser and the server — URLs, form data, cookies, response bodies — is encrypted in transit so a network observer (cafe Wi-Fi, ISP, anyone in between) can't read it or change it.