JWT Security Best Practices

Signing & verification

• Pin the algorithm. Accept an explicit allow-list; never derive it from the token header. See how to verify a JWT.
• Use strong keys. For HMAC, a long random secret (≥256 bits); for RSA/EC, properly generated keys. Weak HMAC secrets are brute-forceable offline.
• Reject alg:none and empty signatures outright.
• Validate kid against an allow-list; never use it for file/DB/shell lookups (kid injection).
• Ignore token-supplied key sources (jwk, jku, x5u) unless strictly pinned to trusted origins.

Claims & lifetime

• Always set and check exp; keep access-token lifetimes short (minutes). Use refresh tokens for longevity.
• Set and validate iss and audso a token for one service can't be replayed at another.
• Don't put secrets or PII in the payload. JWT claims are base64url-encoded, not encrypted — anyone with the token reads them.

Key management

• Rotate signing keys periodically; publish public keys via JWKS with stable kids.
• Have a revocation strategy (short lifetimes, deny-lists, or a token version claim) — plain JWTs can't be un-issued.

Transport & storage

• Only send tokens over HTTPS.
• In browsers, prefer HttpOnly, Secure, SameSite cookies over localStorage to reduce XSS token theft.

Want to check a specific token against these? Paste it into the Audit tab — it flags weak algorithms, missingexp, sensitive claims, and injection surface, each with how to test it.