Glossary
50 definitions covering JSON Web Tokens, signing algorithms, standard claims, secrets management, and cryptographic primitives. Each term includes a plain-language definition, why it matters for production security, optional code examples, and links to related tools and comparisons.
New to JWTs? Start with JSON Web Token, JWT secret keys, and HS256. For side-by-side decisions, see our comparison guides.
A
Access Token
Access tokens authorize API requests. Learn how JWT access tokens differ from refresh tokens.
alg Header Parameter
The alg header declares the signing algorithm. Learn why hardcoded algorithm validation is mandatory.
Algorithm Confusion Attack
Algorithm confusion lets attackers forge JWTs by switching RS256 to HS256. Learn prevention steps.
aud (Audience) Claim
The aud claim names the intended recipients of a JWT. Learn why audience checks stop cross-service token reuse.
B
C
CORS (Cross-Origin Resource Sharing)
CORS controls cross-origin browser access to APIs that accept JWT bearer tokens.
Cryptographic Entropy
High entropy is required for JWT secrets and jti values. Learn how randomness affects security.
Cryptographic Salt
Salts add randomness to key derivation. Learn how salts differ from JWT signing secrets.
E
Environment Variables
Environment variables inject secrets at runtime. Learn 12-factor patterns for JWT keys.
ES256 (ECDSA-SHA256)
ES256 uses elliptic curve keys for compact asymmetric JWT signing. Learn when ES256 beats RS256.
exp (Expiration) Claim
The exp claim sets when a JWT expires. Learn why short-lived tokens are critical for security.
H
HMAC (Hash-based Message Authentication Code)
HMAC combines a hash function with a secret key. Learn how HMAC powers HS256 JWT signatures.
HS256 (HMAC-SHA256)
HS256 uses a shared secret to sign JWTs. Learn when HS256 is the right choice and its key length requirements.
HS384 (HMAC-SHA384)
HS384 uses HMAC with SHA-384 for JWT signing. Learn when HS384 fits your security policy.
HS512 (HMAC-SHA512)
HS512 uses SHA-512 HMAC for JWT signing. Learn secret length requirements and tradeoffs.
I
J
JSON Web Key Set
A JSON Web Key Set bundles multiple public keys for JWT verification endpoints.
JSON Web Token (JWT)
Learn what a JSON Web Token is, how header, payload, and signature work, and why JWTs power modern authentication.
jti (JWT ID) Claim
The jti claim provides a unique ID for replay detection and token revocation tracking.
JWE (JSON Web Encryption)
JWE encrypts JWT claims for confidentiality. Learn when encryption beats signing alone.
JWK (JSON Web Key)
A JWK represents a cryptographic key in JSON for JWT verification and JWKS endpoints.
JWKS Endpoint
A JWKS endpoint publishes public keys for JWT verification. Essential for RS256 and ES256.
JWS (JSON Web Signature)
JWS is the signed JWT format with header, payload, and signature. Learn how JWS differs from JWE.
JWT Header
The JWT header declares the signing algorithm and token type. Learn why alg validation prevents attacks.
JWT Payload
The JWT payload holds claims about the subject and token metadata. Learn registered and custom claims.
JWT Secret Key
What is a JWT secret key? Learn how HMAC signing secrets work and why key quality determines JWT security.
K
M
N
O
P
R
Refresh Token
Refresh tokens renew access tokens without re-login. Learn rotation and storage best practices.
RS256 (RSA-SHA256)
RS256 uses RSA public/private key pairs for JWT signing. Learn when asymmetric signing fits microservices.
RSA Cryptography
RSA is the public-key algorithm behind RS256 and PS256 JWT signing. Learn key sizes and PEM usage.
S
scope Claim
The scope claim lists granted permissions. Learn how scopes drive API authorization.
Secrets Manager
Secrets managers store and rotate JWT signing keys securely. Compare AWS, Vault, and others.
Session Cookie
Session cookies store session IDs server-side. Compare with JWT-based stateless authentication.
SHA-256
SHA-256 is the hash behind HS256 and RS256. Learn its role in JWT cryptography.
SHA-512
SHA-512 produces 512-bit hashes used in HS512. Learn when larger digests matter.
Stateless Authentication
Stateless authentication validates JWTs without server-side session storage. Learn tradeoffs vs sessions.
sub (Subject) Claim
The sub claim identifies the principal the JWT is about. Learn subject design for multi-tenant apps.
T
U
Z
Frequently Asked Questions
What is a JWT glossary term?
Each entry defines one JWT or cryptography concept in plain language — algorithm names, standard claims, token formats, and security primitives used when building authentication systems.
How do I use the JWTSecrets glossary?
Search alphabetically or start from core terms like JWT, HS256, and jwt-secret. Each page links to related tools, comparisons, and blog guides for deeper context.
Are glossary definitions enough for production security?
Definitions explain concepts; production systems still need proper secret storage, algorithm allowlists, short token lifetimes, and signature verification in code — use our tools and guides alongside these definitions.
How is this glossary different from RFC 7519?
RFC 7519 is the formal specification. Our glossary translates those standards into developer-friendly explanations with practical security guidance and links to working browser tools.