Authentication & Tokens · 1 min read

JWT Token Analysis and Security Pitfalls

JSON Web Tokens (JWTs) are the standard for stateless authentication in modern APIs. A JWT has three Base64-encoded parts separated by dots: header, payload, signature. Decoding the first two parts is trivial and reveals the claims, algorithm, and expiry. Security issues lurk in how the token is generated, verified, and stored.

Try it now

JWT Decoder

Runs in your browser, nothing leaves your device.

The header's `alg` field: if it's 'none', the token has no signature at all. If it's HS256 but the server uses RSA, you might have an algorithm confusion vulnerability. The payload's claims: `exp` for expiry (is it reasonable?), `iat` for issue time, `sub` for subject, and any custom claims that might leak sensitive data. Check if the token contains PII, roles, or internal IDs that shouldn't be client-accessible.

Algorithm confusion: changing alg from RS256 to HS256 and signing with the public key. The alg:none attack: removing the signature entirely. Missing expiry: tokens that never expire remain valid forever if stolen. Sensitive data in claims: JWTs are encoded, not encrypted, so anyone can read the payload. Storing JWTs in localStorage makes them accessible to XSS attacks.

Decoded JWT payload

Input
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0Iiwicm9sZSI6ImFkbWluIiwiZXhwIjoxOTk5OTk5OTk5fQ
Result
{"sub":"1234","role":"admin","exp":1999999999} - Expires in 2033, admin role in payload

Security context

JWTs are not encrypted, they're just Base64. Never put secrets, passwords, or sensitive PII in JWT claims. Anyone who intercepts the token can read everything in it. The signature only guarantees the claims haven't been tampered with, it doesn't hide them.

In an HttpOnly, Secure cookie with SameSite=Lax. This makes the token inaccessible to JavaScript (preventing XSS theft) and ensures it's only sent over HTTPS. Avoid localStorage and sessionStorage, as they're accessible to any JavaScript running on the page.

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description