Security Glossary

JSON Web Token (JWT)

A compact, URL-safe token format for securely transmitting claims between parties, commonly used for stateless authentication in web applications and APIs.

JSON Web Token (JWT) is an open standard (RFC 7519) for creating compact, self-contained tokens that securely transmit information between parties as a JSON object. JWTs are commonly used for authentication and information exchange.

Structure

A JWT consists of three Base64URL-encoded parts separated by dots:

header.payload.signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Components

Header: Algorithm (alg) and token type (typ)
Payload: Claims (user data, expiration, issuer)
Signature: Verification signature using secret or private key

Common Claims

{
  "sub": "1234567890",    // Subject (user ID)
  "name": "John Doe",     // Custom claim
  "iat": 1516239022,      // Issued at
  "exp": 1516242622,      // Expiration time
  "iss": "https://example.com"  // Issuer
}

Security Considerations

Always verify the signature before trusting claims
Validate algorithm to prevent confusion attacks
Check expiration (exp) and not-before (nbf) claims
Use HTTPS to prevent token interception
Consider token size (included in every request)

PentesterLab Exercises

JWT Exercises