JWT Best Practices Checklist
JSON Web Tokens (JWTs) are widely used for authentication and authorization, but they come with security considerations that developers must address carefully.
Key Management
- Use strong secrets: Minimum 256-bit keys for HS256; 2048-bit RSA for RS256
- Rotate secrets regularly: Implement key rotation with the
kidheader claim - Never hardcode secrets: Store in environment variables or a secrets manager
- Use separate keys per environment: Development, staging, and production must use different keys
Token Design
- Set short expiration times: Access tokens should expire in 15–60 minutes
- Include only necessary claims: Don't embed sensitive data in the payload
- Validate the
audclaim: Ensure tokens are intended for your service - Always specify the algorithm: Never use
alg: none
Transmission & Storage
- Use HTTPS exclusively: Never transmit tokens over unencrypted connections
- Store in httpOnly cookies: Prevents JavaScript access and XSS attacks
- Implement CSRF protection: When using cookie storage
- Don't store in localStorage: Vulnerable to XSS attacks
Validation
- Verify the signature: Always validate before trusting any claim
- Check expiration (
exp): Reject expired tokens immediately - Validate
issandaud: Confirm token issuer and audience - Use a well-maintained library: Don't implement JWT parsing yourself
Revocation
- Implement token blacklisting: For immediate revocation needs
- Use refresh token rotation: Issue new refresh tokens on each use
- Monitor for anomalies: Track unusual usage patterns
Following these practices will significantly reduce your JWT security risk surface.
Use the JWT Secret Generator to create strong keys, the JWT Validator to test tokens, and the JWT Encoder to inspect signed payloads during development.