Why it matters

JWT security bugs are common. Understanding the structure and how to use it correctly prevents most issues.

Advertisement

The architecture

Structure: header.payload.signature. Base64-encoded JSON.

Header: alg + type. Payload: claims (iss, sub, aud, exp, custom). Signature: HMAC or RSA sig.

JWT anatomyHeaderalg + typePayloadclaimsSignatureverify integritySignature critical; 'none' algorithm attack: some libs accept unsigned tokens
JWT structure.
Advertisement

How it works end to end

Verification: check signature, expiration (exp), issuer (iss), audience (aud).

Storage: cookie (HttpOnly + Secure + SameSite) or memory. Not localStorage (XSS vulnerable).

Revocation: hard for JWT. Short expiration + refresh token pattern.

Algorithm confusion: verify with expected algorithm, not header-specified.