JWT Security Best Practices

JSON Web Tokens (JWT) are widely used for API authentication. A JWT has Header, Payload, and Signature segments joined by dots. Understanding the security model is essential for reliable systems.

Never trust an unverified payload

Payloads are Base64-encoded, not encrypted. Anyone can decode them — or tamper and re-encode without a valid signature. Servers must verify signatures with strong secrets (HS256) or key pairs (RS256).

WaiHub's JWT decoder is for development only. Production must verify signatures on the server.

Set sensible expiry

Keep access tokens short-lived (15 minutes to 1 hour) and use refresh tokens for seamless renewal. Avoid non-expiring tokens; always validate exp on the server.

No secrets in the payload

Anyone can read JWT payloads. Store only user IDs, roles, and other auth metadata — never passwords or card numbers.

Always use HTTPS

Tokens travel via Authorization: Bearer headers or cookies. HTTPS prevents interception. For cookie storage, set HttpOnly and Secure flags.