JSON Web Token (JWT) Cheatsheet 2026
Syntaxes and patterns for JSON Web Tokens: structure (Header.Payload.Signature), signing keys, validation, claims (sub, exp, iat), and storage.
Token Structure
When to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
Header.Payload.SignatureOutput Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedWhen to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9Output Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedWhen to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
{"sub": "1234567890", "name": "John Doe", "iat": 1516239022}Output Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedStandard Claims
When to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
sub / iss / audOutput Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedWhen to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
exp / iat / nbfOutput Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedNode.js (jsonwebtoken)
When to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
const token = jwt.sign({ userId: 123 }, process.env.JWT_SECRET, { expiresIn: '1h' });Output Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedWhen to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
const decoded = jwt.verify(token, process.env.JWT_SECRET);Output Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedVerification
When to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
Authorization: Bearer <token>Output Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedSecurity Best Practices
When to Use
When deciding on secure frontend local storage locations for generated tokens.
Common Mistakes
Storing JWTs inside standard LocalStorage, making them fully vulnerable to Cross-Site Scripting (XSS) script injections.
Shortcut / Pro-Tip
Always flag cookies as HttpOnly, Secure, and SameSite=Strict to defend tokens against XSS and CSRF alike.Example
Store in HttpOnly, Secure, SameSite=Strict CookieOutput Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedWhen to Use
When securing REST API endpoints or managing stateless user session authentications across independent microservices.
Common Mistakes
Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.
Shortcut / Pro-Tip
Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.Example
Never store sensitive data (passwords, PII) in payloadOutput Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidatedJWT Best Practices
1Use Strong Signature Keys
Always sign your tokens using robust, high-entropy cryptographic keys or RS256 asymmetric private/public key pairs.
2Set Brief Expiration Windows (TTL)
Configure tight token lifespans (e.g., 15 minutes) and issue secure refresh tokens to renew active user sessions safely.
3Block XSS with HttpOnly Cookies
Store tokens inside HttpOnly, Secure, SameSite=Strict cookies rather than LocalStorage to prevent malicious script exposure.
4Always Validate Incoming Signatures
Never trust incoming JWT payloads on the server without thoroughly verifying their signature against your public/private key.
5Avoid Sensitive Payload Data
Since JWT payloads are only base64-encoded and fully visible to anyone, never write sensitive data like passwords or social security numbers inside.
Common JWT Errors & Solutions
Signature Verification Failed
The token signature does not match the secret key. Verify key configurations and signature algorithms across servers.
TokenExpiredError
The token has passed its expiration time ('exp' claim). Implement refresh token routes to fetch fresh tokens dynamically.
Storing passwords or secrets in claims
Payload claims are public! Solution: Store only non-sensitive identifiers (like user ID) and look up user details in the DB.
Allowing the 'none' signing algorithm
An attacker could pass a token with 'alg': 'none' and bypass validation. Solution: Explicitly configure your backend library to reject 'none' algorithm.
JWT replay attacks
Tokens intercepted by third-parties can be reused. Solution: Use HTTPS exclusively, verify origin IPs, and set low token lifespans.
Common JWT Interview Questions
Q1What are the three parts of a JSON Web Token?
A JWT consists of three parts separated by periods: the Header (specifies algorithm and token type), the Payload (contains claims like user ID and expiration), and the Signature (verifies integrity).
Q2What is the 'none' algorithm vulnerability in JWT?
It is a vulnerability where some parsing libraries accept a token with 'alg' set to 'none' as valid without verifying any signature, allowing attackers to forge arbitrary payloads. Secure libraries must reject this.
Q3How does a symmetric key differ from an asymmetric key in JWT signing?
Symmetric signing (e.g. HS256) uses the exact same secret key to both sign and verify the token. Asymmetric signing (e.g. RS256) uses a private key to sign the token and a public key to verify it.
Q4What are some standard registered claims inside a JWT payload?
Standard claims include 'iss' (issuer), 'sub' (subject/user), 'aud' (audience), 'exp' (expiration time), 'nbf' (not before), and 'iat' (issued at).
Q5How can you invalidate a JWT before its expiration date?
Since JWTs are stateless, they cannot be invalidated directly. You must maintain a server-side blacklist (e.g. in Redis) of revoked token IDs, or track a user token-version counter in the database.
Generated from LearnHubly Developer Cheatsheets
Access interactive sandbox tests, tools, and developer code bases at https://www.learnhubly.com