Security & Auth
Updated for 2026

JSON Web Token (JWT) Cheatsheet 2026

Syntaxes and patterns for JSON Web Tokens: structure (Header.Payload.Signature), signing keys, validation, claims (sub, exp, iat), and storage.

Token Structure

Header.Payload.Signature
The three distinct parts of a JWT, base64url-encoded and separated by dots.

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

Header.Payload.Signature

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Standard base64Url encoded Header indicating HMAC SHA256 algorithm and JWT type.

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated
{"sub": "1234567890", "name": "John Doe", "iat": 1516239022}
Standard claims payload storing user identity and metadata details.

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

{"sub": "1234567890", "name": "John Doe", "iat": 1516239022}

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated

Standard Claims

sub / iss / aud
Registered Claims: Subject (user identifier), Issuer (token authority), and Audience (recipient target).

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

sub / iss / aud

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated
exp / iat / nbf
Registered Claims: Expiration Time, Issued At time, and Not Before time (all in Unix epoch seconds).

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

exp / iat / nbf

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated

Node.js (jsonwebtoken)

const token = jwt.sign({ userId: 123 }, process.env.JWT_SECRET, { expiresIn: '1h' });
Generate and sign a new secure JWT containing a custom payload using jsonwebtoken (Node.js).

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

const token = jwt.sign({ userId: 123 }, process.env.JWT_SECRET, { expiresIn: '1h' });

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated
const decoded = jwt.verify(token, process.env.JWT_SECRET);
Verify and decode a JWT. Throws error if expired or signature is invalid.

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

const decoded = jwt.verify(token, process.env.JWT_SECRET);

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated

Verification

Authorization: Bearer <token>
Send JWT to the server inside HTTP requests using the standard Bearer authorization header.

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

Authorization: Bearer <token>

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated

Security Best Practices

Store in HttpOnly, Secure, SameSite=Strict Cookie
The most secure storage method to protect JWTs from Cross-Site Scripting (XSS) attacks.

When to Use

When deciding on secure frontend local storage locations for generated tokens.

Common Mistakes

Storing JWTs inside standard LocalStorage, making them fully vulnerable to Cross-Site Scripting (XSS) script injections.

Shortcut / Pro-Tip

Always flag cookies as HttpOnly, Secure, and SameSite=Strict to defend tokens against XSS and CSRF alike.

Example

Store in HttpOnly, Secure, SameSite=Strict Cookie

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated
Never store sensitive data (passwords, PII) in payload
Since JWT payloads are only base64url-encoded and NOT encrypted, anyone can decode and view them.

When to Use

When securing REST API endpoints or managing stateless user session authentications across independent microservices.

Common Mistakes

Storing highly sensitive or secret information (like passwords or private keys) directly inside the base64-encoded JWT payload.

Shortcut / Pro-Tip

Set moderate expiration windows (e.g. 15 minutes) and implement refresh tokens to maintain active sessions securely.

Example

Never store sensitive data (passwords, PII) in payload

Output Example

Console / Terminal
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywiZXhwIjoxNTg5OTE4NDAwfQ.SignatureValidated

JWT Best Practices

1Use Strong Signature Keys

Always sign your tokens using robust, high-entropy cryptographic keys or RS256 asymmetric private/public key pairs.

2Set Brief Expiration Windows (TTL)

Configure tight token lifespans (e.g., 15 minutes) and issue secure refresh tokens to renew active user sessions safely.

3Block XSS with HttpOnly Cookies

Store tokens inside HttpOnly, Secure, SameSite=Strict cookies rather than LocalStorage to prevent malicious script exposure.

4Always Validate Incoming Signatures

Never trust incoming JWT payloads on the server without thoroughly verifying their signature against your public/private key.

5Avoid Sensitive Payload Data

Since JWT payloads are only base64-encoded and fully visible to anyone, never write sensitive data like passwords or social security numbers inside.

Common JWT Errors & Solutions

Error

Signature Verification Failed

Solution

The token signature does not match the secret key. Verify key configurations and signature algorithms across servers.

Error

TokenExpiredError

Solution

The token has passed its expiration time ('exp' claim). Implement refresh token routes to fetch fresh tokens dynamically.

Error

Storing passwords or secrets in claims

Solution

Payload claims are public! Solution: Store only non-sensitive identifiers (like user ID) and look up user details in the DB.

Error

Allowing the 'none' signing algorithm

Solution

An attacker could pass a token with 'alg': 'none' and bypass validation. Solution: Explicitly configure your backend library to reject 'none' algorithm.

Error

JWT replay attacks

Solution

Tokens intercepted by third-parties can be reused. Solution: Use HTTPS exclusively, verify origin IPs, and set low token lifespans.

Common JWT Interview Questions

Q1What are the three parts of a JSON Web Token?

A JWT consists of three parts separated by periods: the Header (specifies algorithm and token type), the Payload (contains claims like user ID and expiration), and the Signature (verifies integrity).

Q2What is the 'none' algorithm vulnerability in JWT?

It is a vulnerability where some parsing libraries accept a token with 'alg' set to 'none' as valid without verifying any signature, allowing attackers to forge arbitrary payloads. Secure libraries must reject this.

Q3How does a symmetric key differ from an asymmetric key in JWT signing?

Symmetric signing (e.g. HS256) uses the exact same secret key to both sign and verify the token. Asymmetric signing (e.g. RS256) uses a private key to sign the token and a public key to verify it.

Q4What are some standard registered claims inside a JWT payload?

Standard claims include 'iss' (issuer), 'sub' (subject/user), 'aud' (audience), 'exp' (expiration time), 'nbf' (not before), and 'iat' (issued at).

Q5How can you invalidate a JWT before its expiration date?

Since JWTs are stateless, they cannot be invalidated directly. You must maintain a server-side blacklist (e.g. in Redis) of revoked token IDs, or track a user token-version counter in the database.