jti (JWT ID) Claim

The jti (JWT ID) claim is a registered claim that provides a unique identifier for the token. Issuers use it to detect replay attacks, implement one-time tokens, or maintain revocation lists. jti should be unique per issuer when used for security controls. UUID v4 is a common choice. Unlike jti in opaque refresh tokens, JWT jti is visible in the payload. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail. Document expected behavior for client teams so tokens are issued, stored, and validated consistently across services.

Why It Matters

jti enables server-side deny lists for otherwise valid tokens before exp. Pair jti with a short-lived cache or database of used IDs for password-reset links, email verification, and step-up authentication flows where single-use tokens matter. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses. Review this during every auth-related change, including framework upgrades, CDN additions, and new mobile or third-party clients.

Code Example

jti claim
{
  "sub": "user_42",
  "jti": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "exp": 1720454400
}

Related Terms

Related Tools

Related Articles

Frequently Asked Questions

Is jti required?

Optional, but valuable when you need replay protection or explicit revocation of individual tokens before expiration. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

What makes a good jti value?

A cryptographically random unique string, such as a UUID v4, generated at issuance time. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

How long should jti be stored?

At least until the token expires, longer if you track reuse across refresh flows. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.