JWTs are secure when implemented correctly: use strong signing keys, short expiration times, httpOnly cookies for storage, and validate all claims. Common vulnerabilities come from weak keys, missing expiration checks, or storing tokens in localStorage.

How do I revoke a JWT?

Since JWTs are stateless, you cannot revoke them directly. Use short-lived tokens (15 minutes) so they expire quickly, and maintain a revocation list for immediate invalidation when needed (e.g., logout, password change).

Should I store JWTs in localStorage or cookies?

Use httpOnly, secure cookies. localStorage is accessible to JavaScript, making tokens vulnerable to XSS attacks. httpOnly cookies cannot be read by JavaScript and are automatically sent with requests.

JWT Explained

The compact, self-contained token format that powers stateless authentication across modern web applications and APIs.

JWT

JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit claims between parties as a self-contained JSON object that can be verified and trusted because it is digitally signed.

Explanation

JWTs are the standard mechanism for stateless authentication in modern web applications. A JWT consists of three parts separated by dots: a header (algorithm and token type), a payload (claims — user ID, roles, expiration time), and a signature (cryptographic proof that the token has not been tampered with). When a user logs in, the server creates a JWT containing the user's identity and permissions, signs it with a secret key, and sends it to the client. The client includes this token in subsequent requests (typically in the Authorization header). The server verifies the signature without querying a database — making JWTs stateless and scalable. JWTs come in two flavors: JWS (signed, ensuring integrity) and JWE (encrypted, ensuring confidentiality). Common pitfalls include storing sensitive data in the payload (it is base64-encoded, not encrypted), using weak signing keys, not validating expiration times, and not implementing token revocation. Short-lived access tokens (15 minutes) paired with longer-lived refresh tokens are the recommended pattern.

Bookuvai Implementation

Bookuvai implements JWT-based authentication with short-lived access tokens (15 minutes) and secure httpOnly refresh tokens. Our standard auth middleware validates token signatures, checks expiration, and extracts user claims on every request. Token rotation and revocation lists handle logout and security incidents.

Key Facts

JWTs are self-contained — the server needs no database lookup to validate them
Tokens consist of three base64-encoded parts: header, payload, signature
Access tokens should be short-lived (15 minutes) to limit exposure
JWTs are signed, not encrypted — do not store secrets in the payload
RS256 (asymmetric) is preferred over HS256 (symmetric) for distributed systems

Related Terms

Frequently Asked Questions

Are JWTs secure?: JWTs are secure when implemented correctly: use strong signing keys, short expiration times, httpOnly cookies for storage, and validate all claims. Common vulnerabilities come from weak keys, missing expiration checks, or storing tokens in localStorage.
How do I revoke a JWT?: Since JWTs are stateless, you cannot revoke them directly. Use short-lived tokens (15 minutes) so they expire quickly, and maintain a revocation list for immediate invalidation when needed (e.g., logout, password change).
Should I store JWTs in localStorage or cookies?: Use httpOnly, secure cookies. localStorage is accessible to JavaScript, making tokens vulnerable to XSS attacks. httpOnly cookies cannot be read by JavaScript and are automatically sent with requests.