Intosoft 工具
🎫

How JWT Works

JSON Web Tokens (JWT) are a compact, URL-safe way to represent claims between parties. This guide covers structure, algorithms, and security best practices.

JWT Structure (Header.Payload.Signature)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

Specifies the signing algorithm and token type

{"alg":"HS256","typ":"JWT"}

Payload

Contains claims (user data and metadata)

{"sub":"1234567890","name":"John Doe","iat":1516239022}

Signature

Verifies the token hasn't been tampered with

HMACSHA256(base64(header) + '.' + base64(payload), secret)

How JWT Authentication Works

1🔐
Login
User sends credentials to auth server
2⚙️
Generate
Server creates JWT with user claims, signs it
3📤
Return
JWT sent to client (cookie or response body)
4💾
Store
Client stores JWT (HttpOnly cookie or memory)
5📨
Request
Client sends JWT with each API request
6
Verify
Server validates signature and claims

Standard Claims (RFC 7519)

ClaimNameDescription
issIssuerWho issued the token (e.g., auth server URL)
subSubjectWho the token is about (usually user ID)
audAudienceWho should accept the token (e.g., API URL)
expExpirationUnix timestamp when token expires
nbfNot BeforeToken not valid before this time
iatIssued AtWhen the token was created
jtiJWT IDUnique identifier for the token

Signing Algorithms

HS256Symmetric
Security: Good

HMAC with SHA-256. Same secret for signing and verification.

Use case: Single server, monolithic apps

RS256Asymmetric
Security: Better

RSA signature with SHA-256. Private key signs, public key verifies.

Use case: Microservices, third-party integration

ES256Asymmetric
Security: Best

ECDSA with P-256 curve. Smaller keys, same security as RSA.

Use case: Mobile apps, IoT, modern systems

noneNone
Security: DANGEROUS

No signature. Anyone can forge tokens.

Use case: NEVER use in production

Security Best Practices

Always Validate SignatureCritical

Never trust a JWT without verifying its signature. Reject 'alg: none'.

Check ExpirationCritical

Always verify 'exp' claim. Use short expiration times (15-60 minutes).

🎯Validate Issuer & AudienceCritical

Check 'iss' and 'aud' claims match expected values to prevent token reuse attacks.

🔒Use HTTPS OnlyCritical

JWTs are often in headers/cookies. Always use TLS to prevent interception.

💾Store Securely

Use HttpOnly cookies or secure storage. Avoid localStorage for sensitive tokens.

📦Keep Payload Small

Don't store sensitive data in JWT. It's Base64 encoded, not encrypted.

Common Vulnerabilities

Algorithm ConfusionCVE-2015-9235

Attacker changes RS256 to HS256 and signs with public key (known)

Fix: Always specify expected algorithm, reject 'none'

Token Leakage

JWTs logged, exposed in URLs, or stored insecurely

Fix: Use short expiration, HttpOnly cookies, never log tokens

Public Key Reuse

Same key used for different purposes allows token reuse

Fix: Use unique keys per service, validate 'aud' claim

JWT vs. Server Sessions

JWT (Stateless)

  • ✅ No server storage needed
  • ✅ Scales horizontally easily
  • ✅ Works across services
  • ❌ Can't revoke instantly
  • ❌ Larger than session ID

Sessions (Stateful)

  • ✅ Instant revocation
  • ✅ Small session ID
  • ✅ Sensitive data on server
  • ❌ Requires session store
  • ❌ Harder to scale

External Resources

🎫
JWT.io
Debug & decode JWTs
📄
RFC 7519
Official specification

Decode Your JWTs!

Inspect and validate JSON Web Tokens with our free decoder tool.

🎫Open JWT Decoder

Related Tools

🎫
JWT Decoder
🔤
Base64 Tool
#️⃣
Hash Generator
{}
JSON Formatter