JWT Cheatsheet
JSON Web Token: compact signed token used for auth. Three base64 parts: header.payload.signature.
1 credit
Structure
text
Header = base64url({ "alg": "HS256", "typ": "JWT" })
Payload = base64url({ "sub": "123", "name": "Alice", "iat": 1700000000, "exp": 1700003600 })
Signature = HMAC-SHA256(Header + "." + Payload, SECRET)
Token = Header + "." + Payload + "." + SignaturePayload is base64 — not encrypted. Anyone can read it. Never put secrets inside.
Standard claims
7 itemsiss
Issuer (who created the token)sub
Subject (user id)aud
Audience (who should accept it)exp
Expiry — Unix timestamp (seconds)nbf
Not-before — token invalid until this timeiat
Issued-at timestampjti
Unique token id (for revocation lists)Algorithms
3 itemsHS256 / HS384 / HS512
HMAC with shared secret — simple, server-only validationRS256 / ES256
Asymmetric — private key signs, public key verifies; needed for SSOnone
NEVER accept — historical vulnerabilityDo / don't
- DO: short-lived (15min) access tokens + long-lived refresh token stored server-side.
- DO: validate `exp`, `iss`, `aud` on every request.
- DON'T: store JWTs in `localStorage` — XSS = account takeover. Use HttpOnly cookies.
- DON'T: roll your own JWT parsing. Use a vetted library (jose, jsonwebtoken).
- DO: have a revocation strategy (jti blocklist, or short expiry + refresh).