JSON Web Token (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519) for creating compact, self-contained tokens that securely transmit information between parties as a JSON object. JWTs are commonly used for authentication and information exchange.

Structure

A JWT consists of three Base64URL-encoded parts separated by dots:

header.payload.signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Components

• Header: Algorithm (alg) and token type (typ)
• Payload: Claims (user data, expiration, issuer)
• Signature: Verification signature using secret or private key

Common Claims

{
  "sub": "1234567890",    // Subject (user ID)
  "name": "John Doe",     // Custom claim
  "iat": 1516239022,      // Issued at
  "exp": 1516242622,      // Expiration time
  "iss": "https://example.com"  // Issuer
}

Security Considerations

• Always verify the signature before trusting claims
• Validate algorithm to prevent confusion attacks
• Check expiration (exp) and not-before (nbf) claims
• Use HTTPS to prevent token interception
• Consider token size (included in every request)

PentesterLab Exercises

• JWT Exercises

See Also

• JSON Web Signature (JWS)
• JSON Web Encryption (JWE)
• JWT Algorithm Confusion Attack