Become familiar with the sharp edges of JWTs.

JSON Web Tokens, or JWTs¹ for short, are self-contained tokens that are often used in the context of authentication and authorization. In this post, I will explain how JWTs work, what problems they are meant to solve, and common pitfalls to avoid when implementing a service that uses JWTs.

A Crash Course on JWTs

A JWT is just a JSON object, base64-encoded² and signed. They generally look like this:


After decoding each dot-separated section, we obtain the following:

"typ": "JWT",
"alg": "HS256"
"iss": "joe",
"exp": 1300819380,
"": true
}.<some binary data>

The first section is the “JOSE header”, and contains metadata about…

Nevil Seong

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store