Why it matters
JWT security bugs are common. Understanding the structure and how to use it correctly prevents most issues.
Advertisement
The architecture
Structure: header.payload.signature. Base64-encoded JSON.
Header: alg + type. Payload: claims (iss, sub, aud, exp, custom). Signature: HMAC or RSA sig.
Advertisement
How it works end to end
Verification: check signature, expiration (exp), issuer (iss), audience (aud).
Storage: cookie (HttpOnly + Secure + SameSite) or memory. Not localStorage (XSS vulnerable).
Revocation: hard for JWT. Short expiration + refresh token pattern.
Algorithm confusion: verify with expected algorithm, not header-specified.