JSON Web Token (JWT)
A JSON Web Token (JWT) is a compact, URL-safe token format that encodes claims as a JSON object, digitally signed to ensure integrity and optionally encrypted for confidentiality.
JWTs are one of the most common token formats used in modern API authentication and authorization workflows. A JWT consists of three Base64URL-encoded parts separated by dots: a header specifying the signing algorithm, a payload containing claims about the user or session, and a signature that verifies the token has not been tampered with.
Because JWTs are self-contained, the server does not need to query a database to validate the token, which makes them highly performant for stateless architectures and microservices. Common claims include the issuer (iss), subject (sub), expiration time (exp), and custom application-specific data such as user roles or permissions.
However, JWTs introduce significant security risks when improperly implemented. The "none" algorithm attack allows attackers to forge tokens by specifying no signature verification. Algorithm confusion attacks exploit servers that accept both symmetric and asymmetric signing algorithms. Tokens with excessively long expiration times increase the window for misuse if leaked. Best practices include always validating the algorithm on the server side, using short-lived tokens with refresh mechanisms, storing tokens securely, and never placing sensitive data in the payload without encryption. Libraries such as jose and jsonwebtoken provide robust implementations when configured correctly.