🎟️

JWT

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between two parties as a digitally signed JSON object. It's the most used format for authentication in modern APIs, single sign-on (SSO), and authorization in distributed systems.

Examples

  • eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
  • Authorization: Bearer {jwt_token}
  • Refresh token flow: access token (15min) + refresh token (7 days)

FAQ

Is JWT encrypted or just signed?

By default it's only signed (JWS). The payload is visible in Base64. If you need encryption, use JWE (JSON Web Encryption), but it's less common and more complex.

How do I invalidate a JWT before it expires?

JWT is stateless, you can't invalidate it directly. Solutions: (1) short expiration + refresh tokens, (2) blacklist in Redis, (3) token versioning with jti claim. All add server-side state.

Is it safe to store JWT in localStorage?

Vulnerable to XSS. If a malicious script executes, it can read localStorage. Safer alternative: HttpOnly cookies (protect against XSS but need CSRF tokens). Ideal: HttpOnly cookies + SameSite=Strict.