JWT Security Best Practices
JWTs are powerful but easy to misuse. Common vulnerabilities include algorithm confusion, missing validation, excessive token lifetimes, and insecure storage. Follow these best practices to build secure JWT-based systems.
JWT Builder
Build and sign JSON Web Tokens with custom claims and your choice of HMAC, RSA, or ECDSA algorithms. All signing happens in your browser.
The secret is used to sign the token. Keep it safe — never share production secrets.
Standard Claims
Custom Claims
No custom claims. Click "Add Claim" to add key-value pairs.
Payload Preview
{
"iat": 1773930972,
"exp": 1773934572
}Algorithm Reference
HMAC (symmetric)
HS256 / HS384 / HS512
Shared secret key. Simple setup. Both signer and verifier need the same key.
RSA (asymmetric)
RS256 / RS384 / RS512
Public/private key pair. Private key signs, public key verifies. Most common in production.
ECDSA (asymmetric)
ES256 / ES384 / ES512
Elliptic curve keys. Smaller keys, same security as RSA. Faster verification.
Complement to JWT Decoder. Build tokens here, decode and inspect them there.
Always validate the algorithm
The most critical JWT vulnerability is the "alg: none" attack, where an attacker modifies the header to use the "none" algorithm, removing signature verification. Always whitelist allowed algorithms on the server side — never trust the "alg" header from the token itself. Most JWT libraries support an "algorithms" parameter that restricts which algorithms are accepted during verification.
Set short expiration times
Access tokens should expire in 5-15 minutes for high-security applications and up to 1 hour for lower-risk scenarios. Use refresh tokens (stored securely, preferably server-side) to issue new access tokens without requiring re-authentication. Short-lived tokens limit the window of abuse if a token is stolen. Never create tokens without an expiration claim.
Secure token storage
In browsers, store tokens in httpOnly, Secure, SameSite cookies — not localStorage or sessionStorage, which are vulnerable to XSS attacks. If you must use localStorage (e.g., for SPAs calling third-party APIs), implement Content Security Policy headers and sanitize all user input rigorously. In mobile apps, use the platform keychain (iOS Keychain, Android Keystore). Never log or expose tokens in URLs.
Validate all claims
Always verify: the signature is valid, the token has not expired (exp), the issuer (iss) matches your expected issuer, the audience (aud) includes your service, and the token is not being used before its "not before" time (nbf). Skipping any of these checks opens attack vectors. Additionally, maintain a token blacklist or use short expiration for immediate revocation needs.
Frequently Asked Questions
Should I encrypt my JWTs?
Standard JWTs (JWS) are signed but not encrypted — the payload is Base64url-encoded and readable by anyone. If your payload contains sensitive data, use JWE (JSON Web Encryption) or, better yet, keep sensitive data out of the token entirely and store it server-side, referenced by a claim like "sub" or "jti".
How do I revoke a JWT before it expires?
JWTs are stateless by design, so there is no built-in revocation mechanism. Common approaches: maintain a server-side blacklist of revoked token IDs (jti), use very short expiration times with refresh tokens, or switch to opaque tokens for scenarios requiring immediate revocation. Each approach trades off between statelessness and control.
Is it safe to decode JWTs in the browser?
Yes — decoding (reading the payload) is safe and expected. The payload is not secret; it is only Base64url-encoded. However, never trust a decoded token without verifying its signature on the server side. Client-side decoding is useful for displaying user info or checking expiration, but all authorization decisions must happen server-side after signature verification.
Related Generate Tools
Privacy Policy Generator
Generate a customized privacy policy with GDPR, CCPA, cookies, analytics, and payment sections
JSON Mock Data Generator
Generate realistic fake JSON data for API testing with 30+ field types, preset templates, and schema builder
README Generator
Generate professional GitHub README.md files with badges, installation steps, usage examples, and more
robots.txt Generator
Generate robots.txt files with crawl rules for Googlebot, Bingbot, AI bots, and more — presets included