Home/Glossary/JSON Web Token (JWT)

JSON Web Token (JWT)

A compact, URL-safe token format used to securely transmit claims between parties in web applications.

Web SecurityAlso called: "jwt", "bearer token"

JWTs consist of three parts: header, payload, and signature, separated by dots.

Structure

  • Header: Algorithm and token type.
  • Payload: Claims about the user or session.
  • Signature: Cryptographic verification using a secret key.

Security considerations

  • Never store sensitive data in the payload (it's base64-encoded, not encrypted).
  • Validate signatures on every request to prevent tampering.
  • Set short expiration times and implement refresh token rotation.
  • Use strong signing algorithms (RS256, ES256) over HS256 when possible.

Related Tools

Related Articles

View all articles
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →
CI/CD Pipeline Security Workflow | DevSecOps Best Practices

CI/CD Pipeline Security Workflow | DevSecOps Best Practices

Master the complete CI/CD pipeline security workflow from secrets management to SLSA framework implementation. Implement SAST, DAST, SCA, artifact signing, and policy enforcement to secure your software supply chain.

Read article →
How to Install cURL on Windows: 5 Easy Methods (2025 Guide)

How to Install cURL on Windows: 5 Easy Methods (2025 Guide)

Install cURL on Windows using PowerShell, Chocolatey, or manual download. Complete guide with step-by-step instructions for all methods.

Read article →
Kubernetes Security & Hardening Workflow | CIS Benchmark

Kubernetes Security & Hardening Workflow | CIS Benchmark

Master the complete Kubernetes security workflow from CIS benchmark assessment to runtime threat detection. Implement Pod Security Standards, RBAC, network policies, and NSA/CISA hardening guidance for production clusters.

Read article →

Explore More Web Security

View all terms

CORS (Cross-Origin Resource Sharing)

A browser security mechanism that controls how web pages can request resources from different domains, preventing unauthorized cross-site data access.

Read more →

Cross-Site Request Forgery (CSRF)

An attack that tricks a victim into submitting unauthorized requests using their authenticated session.

Read more →

Cross-Site Scripting (XSS)

A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

Read more →

HTML Entity Encoding

A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.

Read more →

HTTP Cookie

Small pieces of data stored by web browsers, used for session management, personalization, and tracking.

Read more →

HTTP Security Headers

Response headers that enable browser security protections against common web attacks.

Read more →
Back to glossary