Home/Glossary/JSON Web Token (JWT)

JSON Web Token (JWT)

A compact, URL-safe token format used to securely transmit claims between parties in web applications.

Web SecurityAlso called: "jwt", "bearer token"

JWTs consist of three parts: header, payload, and signature, separated by dots.

Structure

  • Header: Algorithm and token type.
  • Payload: Claims about the user or session.
  • Signature: Cryptographic verification using a secret key.

Security considerations

  • Never store sensitive data in the payload (it's base64-encoded, not encrypted).
  • Validate signatures on every request to prevent tampering.
  • Set short expiration times and implement refresh token rotation.
  • Use strong signing algorithms (RS256, ES256) over HS256 when possible.

Related Tools

Related Articles

View all articles
📄

AI Gateway Guide: What They Are, Why You Need One, and How to Choose

A comprehensive guide to AI gateways — the proxy layer between your app and LLM providers. Compare Cloudflare AI Gateway, Portkey, Helicone, LiteLLM, AWS Bedrock, Azure APIM, and more across pricing, features, and architecture.

Read article →
📄

Serverless Showdown: Cloudflare Workers vs Lambda vs Cloud Functions vs Azure Functions

A deep technical comparison of serverless compute platforms — Cloudflare Workers, AWS Lambda, Google Cloud Functions, and Azure Functions — covering runtime architecture, cold starts, programming models, pricing, and the edge vs region debate.

Read article →
📄

Web Security Compared: Cloudflare vs AWS Shield/WAF vs Azure DDoS/WAF vs Google Cloud Armor

A deep technical comparison of web security platforms — DDoS protection, WAF, bot management, and API security across Cloudflare, AWS, Azure, and Google Cloud. Architecture, pricing, and when each approach wins.

Read article →
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →

Explore More Web Security

View all terms

CORS (Cross-Origin Resource Sharing)

A browser security mechanism that controls how web pages can request resources from different domains, preventing unauthorized cross-site data access.

Read more →

Cross-Site Request Forgery (CSRF)

An attack that tricks a victim into submitting unauthorized requests using their authenticated session.

Read more →

Cross-Site Scripting (XSS)

A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

Read more →

HTML Entity Encoding

A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.

Read more →

HTTP Cookie

Small pieces of data stored by web browsers, used for session management, personalization, and tracking.

Read more →

HTTP Security Headers

Response headers that enable browser security protections against common web attacks.

Read more →
Back to glossary