JWT Cheat Sheet
JSON Web Tokens contain header, payload, and signature. Security depends on strict server-side validation.
Validation Checklist
- Enforce expected algorithm
- Verify signature with trusted keys
- Validate iss, aud, exp
Prevention
- Short token lifetimes and key rotation
- Avoid sensitive claims in payload
- Use HTTPS and secure storage patterns
Copy-Ready Safe Example Token (Structure Demo Only)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkZW1vLXVzZXIiLCJyb2xlIjoic3R1ZGVudCIsImlhdCI6MTcwMDAwMDAwMH0.signature-demo-only
Real-Life Bug Pattern (Sanitized)
An API accepted expired tokens because only signature checks were enforced. This led to long-term unauthorized access after token leakage.
- Enforce expiry and not-before claims
- Pin expected issuer and audience
- Rotate signing keys and revoke compromised sessions quickly