JSON Web Tokens (JWT) for Secure Authentication

JSON Web Tokens (JWTs) provide a compact, URL-safe method for securely transmitting information between parties as a JSON object. They are widely used for authentication and authorization in web applications, enabling stateless sessions without server-side storage.

Key Components of JWT

JWTs consist of three Base64Url-encoded parts separated by dots (.), each serving a distinct purpose:

Component	Purpose	Example Content
Header	Specifies token type (`JWT`) and signing algorithm (`alg`)	`{"alg": "HS256", "typ": "JWT"}`
Payload	Contains claims (statements about the entity) and additional metadata	`{"sub": "user123", "exp": 1735689600}`
Signature	Ensures token integrity by verifying it hasn’t been altered	`HMACSHA256(header.payload, secret_key)`

Note: While the header and payload are readable when decoded, the signature prevents tampering.

How JWTs Work

1. Token Creation

The server generates a JWT with:
- A header defining the algorithm.
- A payload with claims (e.g., user ID, expiration time).
- A signature created by hashing the header and payload with a secret key.
The token is sent to the client (e.g., via a login response).

2. Token Usage

The client includes the JWT in the Authorization header of subsequent requests:
```
Authorization: Bearer <token>
```
The server verifies the signature and grants access if valid.

3. Token Validation

Signature Check: Ensures the token wasn’t modified.
Expiration Check: Validates the exp claim (if present).
Issuer Check: Confirms the token’s origin (e.g., iss claim).

Signing Algorithms: Symmetric vs. Asymmetric

Type	Algorithm	Key Usage	Use Case
Symmetric	HMAC	Shared secret key	Internal services, simple setups
Asymmetric	RSA/ECDSA	Private key (sign), public key (verify)	Public APIs, microservices

Best Practice: Use asymmetric algorithms (e.g., RS256) for better security in distributed systems.

Security Best Practices

Do’s

Verify Signatures: Always validate the token’s signature before trusting its contents.
Set Short Expirations: Use the exp claim to limit token lifetimes (e.g., 15–60 minutes).
Use HTTPS: Transmit JWTs only over encrypted connections.
Store Securely: Keep tokens in HttpOnly, Secure cookies or secure storage (e.g., localStorage with caution).

Don’ts

Avoid Sensitive Data: Never store passwords or PII in the payload (it’s Base64-encoded, not encrypted).
Don’t Use none Algorithm: Disable unsigned tokens to prevent tampering.
Limit Claims: Minimize payload size to reduce attack surface.

Token Lifecycle Management

1. Issuance

Generate tokens with minimal claims (e.g., sub, exp, iat).

Example payload:

{
  "sub": "user123",
  "exp": 1735689600,
  "iat": 1735603200,
  "scope": "read:profile"
}

2. Storage

Client-Side: Use HttpOnly cookies for web apps to mitigate XSS.
Server-Side: For high-security apps, consider short-lived tokens with refresh tokens.

3. Revocation

Short Expirations: Rely on exp for automatic invalidation.
Denylists: Maintain a server-side list of revoked tokens (e.g., for logout).

Real-World Applications

1. Stateless Authentication

Use Case: Single Sign-On (SSO) and API authentication.
Example: OAuth 2.0 uses JWTs for access tokens.

2. Microservices Communication

Use Case: Secure inter-service communication in distributed systems.
Example: A service verifies a JWT signed by an authentication service.

3. Mobile Apps

Use Case: Persistent login without server-side sessions.
Example: A mobile app stores a JWT after login and includes it in API requests.

Common Pitfalls and Mitigations

Pitfall	Risk	Mitigation
Long-lived tokens	Increased exposure if leaked	Set short `exp` (e.g., 15 minutes)
Weak algorithms (e.g., `HS256`)	Brute-force attacks	Use `RS256` or `ES256`
Missing `exp` claim	Tokens never expire	Always include expiration
Storing in `localStorage`	Vulnerable to XSS	Use `HttpOnly` cookies

Learn More

JWT.io: Interactive debugger and library list.
RFC 7519: Official JWT specification.
OWASP JWT Cheat Sheet: Security guidelines.