Is JWT data encrypted?

Standard JWTs are signed but not encrypted - anyone can decode and read the payload. Use JWE (JSON Web Encryption) if payload must be secret. Never put secrets in standard JWT payloads.

How long should JWTs last?

Balance security vs user experience. Common: 15 minutes to 1 hour for access tokens. Use refresh tokens for longer sessions. Shorter is more secure but requires more refresh logic.

How do I invalidate a JWT?

JWTs are stateless - you can't directly invalidate them. Options: short expiration times, token blacklists (loses statelessness benefit), or change signing key (invalidates all tokens).

Where should JWTs be stored in the browser?

HttpOnly cookies are most secure (immune to XSS). LocalStorage is convenient but vulnerable to XSS. Memory-only (no storage) is most secure but doesn't persist. Trade-offs depend on your threat model.

Book Free Assessment Calculator

JWT

JSON Web Token

A compact, URL-safe token format for securely transmitting claims between parties. Used for authentication and authorisation in web applications and APIs.

In-Depth Explanation

JSON Web Tokens (JWT) are a standard for securely transmitting information as a JSON object. They're commonly used for authentication, allowing stateless session management.

JWT structure (three parts):

Header: Token type and signing algorithm
Payload: Claims (data about the user/session)
Signature: Verification that token is valid

JWT claim types:

Registered: iss (issuer), exp (expiration), sub (subject)
Public: Standardised claims
Private: Custom application claims

JWT characteristics:

Self-contained (carries its own data)
Stateless (server doesn't store session)
Tamper-evident (signature verification)
Compact (URL-safe encoding)

JWT considerations:

Can't be revoked without extra infrastructure
Payload is encoded, not encrypted (visible)
Size grows with claims added
Expiration is crucial for security

Business Context

JWTs enable scalable authentication without server-side session storage. Common in modern APIs and single-page applications.

How Clever Ops Uses This

We use JWTs for secure API authentication in Australian business applications, enabling stateless, scalable architecture.

Example Use Case

"User logs in, receives a JWT containing their ID and permissions. Each API request includes this token, letting the server verify access without database lookups."

Frequently Asked Questions

Learn More

API Integration Patterns: Building Reliable, Scalable LLM Applications

Master patterns for integrating with LLM APIs reliably at scale. Learn error handling, rate limiting, caching, cost optimization, and production-ready architectures for OpenAI, Anthropic, and other providers.

Read article

JSON Kaizen