About JWT Cheatsheet

Structure, standard claims, algorithms, do/don't. Part of the DevTools Surf developer suite. Browse more tools in the Cheatsheets collection.

Use Cases

• Backend devs implementing stateless authentication for REST APIs
• Security engineers auditing JWT configurations for token theft risks
• Mobile developers understanding token refresh and expiry flows
• DevOps teams configuring JWT validation in API gateway policies

Tips

• Review the algorithm comparison to choose between HS256 and RS256
• Check the standard claims table for iss, sub, aud, and exp usage
• Use the do/don't section to avoid common JWT security mistakes

Fun Facts

• JWT (RFC 7519) was authored by Michael B. Jones at Microsoft and published in May 2015, building on the earlier JSON Web Signature (JWS) spec.
• A JWT has exactly three Base64URL-encoded parts separated by dots — header, payload, and signature — making it safe for URLs without encoding.
• The 'none' algorithm in JWT has caused numerous security vulnerabilities; many libraries now reject it by default after high-profile exploits in 2015-2017.

FAQ

Does it cover when NOT to use JWT?

Yes — prominently. Session cookies are usually simpler and safer for web apps. JWT shines for cross-service and stateless APIs, not for browser sessions.

What about HS256 vs RS256?

Covered. HS256 for same-service signing (fastest); RS256 for cross-service where only the issuer has the private key.

Are there security do/don'ts?

Yes — never trust alg:none, always set exp, prefer short lifetimes, watch for algorithm confusion attacks.

What claims are standard?

iss, sub, aud, exp, nbf, iat, jti — each explained with when to use them. Plus common custom claims patterns.