JSON Web Token (JWT)
Last updated
Last updated
This page contains recommendations for the secure use of JSON Web Tokens (JWTs).
JSON Web Token (JWT) represents a set of claims as a JSON object that is encoded in a JSON Web Signature (JWS) and/or JSON Web Encryption (JWE) structure. A JWT is represented as a sequence of URL-safe parts (JWT claims sets) separated by .. Each part contains a base64url-encoded value. For example:
The number of parts in the JWT is dependent upon the representation of the resulting or .
The JWT claims set represents a JSON object whose members are the claims conveyed by a JWT. There are three classes of JWT claim names:
Claim names in the table below are registered in the IANA "JSON Web Token Claims" registry. None of these claims are intended to be mandatory to use or implement in all cases, but rather they provide a starting point for a set of useful, interoperable claims. Applications using JWTs should define which specific claims they use and when they are required or optional.
iss
Issuer
String or URI
The iss claim identifies the principal that issued the JWT
sub
Subject
String or URI
The sub claim identifies the principal that is the subject of the JWT
aud
Audience
Array of strings (String or URI)
String or URI
The aud claim identifies the recipients that the JWT is intended for
exp
Expiration Time
NumericDate
The exp claim identifies the expiration time on or after which the JWT must not be accepted for processing
nbf
Not Before
NumericDate
The nbf claim identifies the time before which the JWT must not be accepted for processing
iat
Issued At
NumericDate
The iat claim identifies the time at which the JWT was issued
jti
JWT ID
String
The jti claim provides a unique identifier for the JWT
Claim names can be defined at will by those using JWTs. Claim name is a value that contains a collision-resistant name.
A producer and consumer of a JWT may agree to use private claim names: names that are not registered claim names or public claim names. Unlike public claim names, private claim names are subject to collision.
The JSON Object Signing and Encryption (JOSE) header is a JSON object containing the parameters describing the cryptographic operations and parameters employed.
For a JWT object, the members of the JSON object represented by the JOSE header describe:
the cryptographic operations applied to the JWT,
(optionally) additional properties of a JWT.
JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. The JWS cryptographic mechanisms provide integrity protection for an arbitrary sequence of octets.
There are two closely related serializations for JWS which both share the same cryptographic underpinnings:
A JWS represents the following logical values:
For a JWS, the members of the JSON object(s) representing the JOSE header describe:
the digital signature or MAC applied to the JWS-protected header and payload,
(optionally) additional properties of a JWS.
JWS defines the following registered header parameter names:
alg
Algorithm
String or URI
jku
JWK Set URL
URI
jwk
JSON Web Key
The jwk header parameter is the public key that corresponds to the key used to digitally sign the JWS
kid
Key ID
String
x5u
X.509 URL
URI
x5c
X.509 Certificate Chain
x5t
X.509 certificate SHA-1 thumbprint
String
The x5t header parameter is a base64url-encoded SHA-1 thumbprint (digest) of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign the JWS
x5t#S256
X.509 Certificate SHA-256 Thumbprint
String
The x5t#S256 header parameter is a base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign the JWS
typ
Type
The typ header parameter is used by JWS applications to declare the media type of this complete JWS. This is intended for use by the application when more than one kind of object could be present in an application data structure that can contain a JWS. To indicate that this object is a JWT, recommended to use the "JWT" value
cty
Content Type
The cty header parameter is used by JWS applications to declare the media type [IANA.MediaTypes] of the secured content (the payload). In the normal case in which nested signing operations are not employed, the use of this header parameter is not recommended. In the case that nested signing is employed, this header parameter must be present; in this case, the value must be "JWT", to indicate that a nested JWT is carried in this JWT
crit
Critical
Array of the header parameter names present in the JOSE header
The sequence of octets to be secured (the message). The payload can contain an arbitrary sequence of octets.
A digital signature or MAC over the JWS-protected header and payload. Since JWT uses JWS compact serialization, JWS unprotected headers are not used.
JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. The JWE cryptographic mechanisms encrypt and provide integrity protection for an arbitrary sequence of octets. JWE utilizes authenticated encryption to ensure the confidentiality and integrity of plaintext and the integrity of the JWE-protected header.
There are two closely related serializations for JWE which both share the same cryptographic underpinnings:
A JWE represents these logical values:
For a JWE, the members of the JSON object(s) representing the JOSE header describe:
the encryption applied to the plain text,
(optionally) additional properties of a JWE.
JWE defines the following registered header parameter names:
alg
Algorithm
String or URI
enc
Encryption Algorithm
String or URI
zip
Compression Algorithm
String
The zip applied to the plaintext before encryption, if any
jku
JWK Set URL
URI
jwk
JSON Web Key
The jwk header parameter is the public key that corresponds to the key used to encrypt the JWE; this can be used to determine the private key needed to decrypt the JWE
kid
Key ID
String
x5u
X.509 URL
URI
x5c
X.509 Certificate Chain
x5t
X.509 certificate SHA-1 thumbprint
String
The x5t header parameter is a base64url-encoded SHA-1 thumbprint (digest) of the DER encoding of the X.509 certificate corresponding to the key used to encrypt the JWE
x5t#S256
X.509 Certificate SHA-256 Thumbprint
String
The x5t#S256 header parameter is a base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of the X.509 certificate corresponding to the key used to encrypt the JWE
typ
Type
The typ header parameter is used by JWE applications to declare the media type of this complete JWE. This is intended for use by the application when more than one kind of object could be present in an application data structure that can contain a JWE. To indicate that this object is a JWT, recommended to use the "JWT" value
cty
Content Type
The cty header parameter is used by JWE applications to declare the media type [IANA.MediaTypes] of the secured content (the plaintext). In the normal case in which nested encryption operations are not employed, the use of this header parameter is not recommended. In the case that nested encryption is employed, this header parameter must be present; in this case, the value must be "JWT", to indicate that a nested JWT is carried in this JWT
crit
Critical
Array of the header parameter names present in the JOSE header
An encrypted value of a content encryption key. The JWE encrypted key value is specified as an empty sequence of octets for some algorithms.
An initialization vector, that is used as an initialization vector value when encrypting a plaintext. Some algorithms may not use an initialization vector, in which case this value is the empty octet sequence.
A value resulting from authenticated encryption of plaintext with additional authenticated data.
A value resulting from authenticated encryption of plaintext with additional authenticated data. Some algorithms may not use an authentication tag, in which case this value is the empty octet sequence.
Define a list of allowed algorithms that can be used to secure JWT. Do not use block lists.
Do not use weak or deprecated algorithms.
Disable support for all algorithms in your library except those on an allow list.
Validate the alg or enc claims to make sure a JWT is secured by an allowed algorithm.
Use each key for exactly one algorithm. Validate it when the cryptographic operation is performed.
If the exp (expiration date) claim is used, validate that JWT has not expired. Reject expired JWTs.
If the iss claim is used, validate that the cryptographic keys used for cryptographic operations in the JWT belong to the issuer. Reject the JWT if they do not.
If the sub claim is used, validate that the subject (user) corresponds to a valid subject and/or issuer:subject pair in an application.
If the same issuer can issue JWTs that are intended for use by more than one relying party or application:
Reject the JWT if the aud claim is not present.
Reject the JWT if the aud claim is not associated with the recipient.
If the jku claim is used, validate that jku contains a URI from an allow list.
If the jwk claim is used, validate that jwk contains a public key from an allow list.
Reject the entire JWT if any of the validations fail (including all cryptographic operations).
Disable support of the None algorithm in production. Make sure the None algorithm is disabled by default.
Make sure the JWT's signature is validated and it is not possible to use a JWT without a signature or with an invalid signature.
Disable support of the None algorithm in all environments.
Make sure the internal signature is validated after decryption.
Depending upon whether the JWT is a or , the corresponding rules for the JOSE header values apply.
The is a compact, URL-safe representation intended for space-constrained environments such as HTTP Authorization headers and URI query parameters.
The represents JWSs as JSON objects and enables multiple signatures and/or MACs to be applied to the same content.
The alg header parameter identifies the cryptographic algorithm used to secure a JWS. You can find a list of possible values in the specification in
The jku header parameter is a URI that refers to a resource for a set of JSON-encoded public keys (as set), one of which corresponds to the key used to digitally sign the JWS
The kid header parameter is a hint indicating which key was used to secure the JWS. When used with a , the kid value is used to match a JWK kid parameter value
The x5u header parameter is a URI that refers to a resource for the in PEM-encoded form corresponding to the key used to digitally sign the JWS
The x5c header parameter contains the corresponding to the key used to digitally sign the JWS
The crit header parameter indicates that extensions and/or are being used that must be understood and processed
The is a compact, URL-safe representation intended for space-constrained environments such as HTTP Authorization headers and URI query parameters.
The represents JWEs as JSON objects and enables the same content to be encrypted to multiple parties.
The alg header parameter identifies the cryptographic algorithm used to encrypt or determine the value of the Content Encryption Key (a symmetric key for the AEAD algorithm). You can find a list of possible values in the specification in
The enc header parameter identifies the content encryption algorithm used to perform authenticated encryption on the plaintext to produce the ciphertext and the authentication tag. This algorithm must be an AEAD algorithm with a specified key length. You can find a list of possible values in the specification in
The jku header parameter is a URI that refers to a resource for a set of JSON-encoded public keys (as set), one of which the JWE was encrypted; this can be used to determine the private key needed to decrypt the JWE
The kid header parameter is a hint indicating which key was used to encrypt the JWE. When used with a , the kid value is used to match a JWK kid parameter value
The x5u header parameter is a URI that refers to a resource for the in PEM-encoded form corresponding to the key used to encrypt the JWE
The x5c header parameter contains the corresponding to the key used to encrypt the JWE
The crit header parameter indicates that extensions and/or are being used that must be understood and processed
Use well-known and up-to-date libraries to implement JWT support. You can find a list of libraries and a description of the provided functionality at .
Do not trust any data that is passed in a JWT. Implement comprehensive input validation for each value that is read from a JWT, see the page.
JWT claims can be used to deliver a payload to exploit vulnerabilities in an application. Implement protection against these attacks in addition to input validation, see the section.
If there is a way to force an application to use a key that is intended for a different algorithm, an attacker can abuse this behaviour to craft valid JWTs, see
Implement proper error and exception handling to avoid situations where the absence of a signature causes JWT validation to be bypassed, see the page.
Comply with requirements from the page.
Comply with requirements from the page when JWTs need to be stored securely in the browser.
Log errors that occur when validating JWTs and working with them, see the page.
Do not pass any sensitive data in the JWT header or payload, see the page.
If a keyed-MAC algorithm is used comply with requirements from the page.
Do not pass any sensitive data in the JWT header, see the page.
