Complete JWT Security Guide: Decoding, Verification, and Common Vulnerabilities
What Is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties. It's the most popular API authentication scheme, widely used by OAuth 2.0 and OpenID Connect.
JWT Structure
A JWT has three parts separated by .:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
│ Header │.│ Payload │.│ Signature │
| Part | Content | Encoding |
|---|---|---|
| Header | Algorithm + type | Base64URL |
| Payload | Claims | Base64URL |
| Signature | Signature | Algorithm(Header + Payload, Secret) |
⚠️ Header and Payload are only Base64URL-encoded—they are not encrypted. Anyone can decode and read them.
Decode JWT with ToolsKu
Steps
- Open the JWT Decoder
- Paste the JWT string
- View decoded Header and Payload JSON
- Check expiration, issuer, and other fields
Common Payload Fields
| Field | Meaning | Example |
|---|---|---|
sub |
Subject (user ID) | "user_12345" |
iss |
Issuer | "https://auth.example.com" |
aud |
Audience | "api.example.com" |
exp |
Expiration (Unix seconds) | 1717200000 |
iat |
Issued at | 1717196400 |
nbf |
Not before | 1717196400 |
jti |
JWT ID (unique identifier) | "a1b2c3d4" |
JWT Signing Algorithms
| Algorithm | Type | Security | Use Case |
|---|---|---|---|
| HS256 | Symmetric | Medium | Single service, internal APIs |
| HS384/HS512 | Symmetric | Medium–high | Higher security requirements |
| RS256 | Asymmetric | High | Multi-service, OAuth |
| ES256 | Asymmetric | High | Mobile, IoT |
| none | No signature | ❌ Dangerous | Never use |
Symmetric vs Asymmetric
HS256 (symmetric):
Sign: HMAC-SHA256(header.payload, shared_secret)
Verify: Same shared_secret
Issue: All services share one secret—a leak affects everything
RS256 (asymmetric):
Sign: RSA-SHA256(header.payload, private_key)
Verify: RSA-SHA256(header.payload, public_key)
Advantage: Public key can be distributed; private key stays with issuer
Common Security Vulnerabilities
1. alg: none Attack
An attacker changes Header alg to none and removes the Signature:
// Original Header
{"alg": "HS256", "typ": "JWT"}
// Attacker modification
{"alg": "none", "typ": "JWT"}
Defense: Server must whitelist allowed algorithms and reject none.
2. Key Confusion Attack
Switch RS256 to HS256 and use the public key as the HMAC secret:
Attacker gets public key → changes alg to HS256 → signs with public key → server verifies HMAC with public key → passes
Defense: Strictly validate that Header alg matches expectations.
3. Sensitive Data Leakage
Because Payload is only Base64-encoded, never store in JWT:
- ❌ Passwords, credit card numbers
- ❌ Personal private information
- ✅ User ID, roles, permissions
4. Improper Expiration
// ❌ No expiration — token valid forever
{"sub": "user_123"}
// ❌ Expiration too long — leaked token stays valid
{"sub": "user_123", "exp": 1893456000} // year 2030
// ✅ Reasonable expiration + refresh flow
{"sub": "user_123", "exp": 1717200000} // 15–60 minutes
JWT Best Practices
1. Short-Lived Access Token + Refresh Token
Access Token: 15–60 minute expiry, used for API calls
Refresh Token: 7–30 day expiry, used to obtain new access tokens
2. Storage Location
| Storage | XSS Risk | CSRF Risk | Recommended |
|---|---|---|---|
| localStorage | High | Low | ❌ |
| sessionStorage | High | Low | ❌ |
| HttpOnly Cookie | Low | High | ⚠️ Needs CSRF protection |
| In-memory variable | Low | Low | ✅ Recommended for SPAs |
3. Verification Checklist
When validating JWT on the server, always check:
- Signature is valid
-
exphas not expired -
nbfis in effect -
issis the expected issuer -
audincludes the current service -
algis on the whitelist
Debugging JWT Issues
- Decode JWT: Use the JWT Decoder to inspect Header and Payload
- Check exp: Has the token expired?
- Check alg: Does the signing algorithm match expectations?
- Check iss/aud: Are issuer and audience correct?
- Verify signature: Use the JWT Generator to re-sign with the same secret and compare
- Check transport: Is the Authorization header
Bearer <token>?
Related Tools
- JWT Decoder — Parse Header and Payload
- JWT Generator — Create custom JWTs for testing
- HMAC Calculator — Understand HMAC signing
- Base64 Encode/Decode — Encoding used by JWT
Summary
JWT is a cornerstone of modern API authentication, but Base64 encoding (not encryption) creates unique security challenges. Understanding structure, signing, and common vulnerabilities is essential for full-stack developers. ToolsKu's JWT decoder helps you debug auth quickly—but remember: decoding is not verification; always validate signatures on the server in production.