Jwt Help & Guide

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between two parties. It's commonly used for authentication and authorization.

JWT Has Three Parts

1. Header: Contains token type and signing algorithm
2. Payload: Contains the claims (data)
3. Signature: Verifies the token wasn't tampered with

Common Claims

• iss: Issuer—who created the token
• sub: Subject—who the token is about
• aud: Audience—who the token is for
• exp: Expiration time
• iat: Issued at time

Error: "Invalid signature"

Cause: The signature doesn't match what it should be.

Possible reasons:

• Using wrong secret/public key
• Token was tampered with
• Mismatched algorithm (HS256 vs RS256)

Error: "Token expired"

Cause: The exp claim is in the past.

Solution: Get a new token from the authentication server.

Error: "Audience invalid"

Cause: The aud claim doesn't match your application.

Solution: Check that you're using the correct audience value.

Do's

• Always verify signatures
• Check expiration (exp claim)
• Use HTTPS to transmit tokens
• Store tokens securely (httpOnly cookies)
• Use RS256 (asymmetric) over HS256 (symmetric)

Don'ts

• Don't store tokens in localStorage (XSS vulnerable)
• Don't put sensitive data in JWT (it's base64 encoded, not encrypted)
• Don't trust tokens without signature verification

Token Storage

• Best: httpOnly cookies (CSRF protected)
• Good: Memory (lost on page refresh)
• Avoid: localStorage, sessionStorage