← Lessons

quiz vs the machine

Gold1380

Security

JSON Web Tokens

How signed tokens carry claims, and the pitfalls of trusting them blindly.

5 min read · core · beat Gold to climb

Structure

A JSON Web Token has three base64url parts: a header, a payload of claims, and a signature. The signature lets a server verify the token was issued by a trusted party and not altered, without a database lookup.

How Trust Works

  • The issuer signs with a secret for HMAC or a private key for asymmetric algorithms.
  • Verifiers recompute the signature to confirm integrity.
  • The payload is encoded, not encrypted, so never store secrets in it.

Common Pitfalls

  • Accepting the alg field from the token can allow an attacker to set it to none or downgrade it; pin the expected algorithm.
  • Skipping expiry and audience checks lets stale or misrouted tokens pass.
  • Long lived tokens are hard to revoke, so keep access tokens short and use refresh tokens.

Key idea

A JWT is a signed but readable container of claims, so verify the signature with a pinned algorithm and always validate expiry and audience.

Check yourself

Answer to earn rating on the learn ladder.

1. Why must you never store secrets in a JWT payload?

2. How do you prevent algorithm confusion attacks?

3. What makes long lived access tokens risky?