JWTs in Plainish English

18th May 2019

A JWT is a flashy succinct way of authorisation and authentication. It can be used by applications as a way for users to provide session information, including details such as access levels. JWTs can be signed and encrypted to secure against tampering and falsification.

The main cool thing about JWT is that in addition to using the tokens to authenticate users, the tokens can include extra information such as permitted roles or areas of access. A JWT can be signed (so that modified claims can be identified and ignored) and encrypted (so that claims cannot be viewed).

The main annoying thing about JWT is that it is pronounced jot.



Specifies the type of the token (so... JWT) and the level of encryption.

None No encryption.
HS256 HMAC with SHA-256.
HS384 HMAC with SHA-384.
HS512 HMAC with SHA-512.
RS256 RSA with SHA-256.
RS384 RSA with SHA-384.
RS512 RSA with SHA-512.
ES256 ECDSA faster and shorter than RSA, with SHA-256.
ES384 ESDSA faster and shorter than RSA, with SHA-384.
ES512 ECDSA faster and shorter than RSA, with SHA-512.
PS256 RSASSA-PSS (RSA padded with random bits) with SHA-256
PS384 RSASSA-PSS (RSA padded with random bits) with SHA-384


Specifies the "claims" of the JWT, which by default can include:

iss Issuer The issuing principal. Optional
sub Subject The subject of the JWT. Optional
aud Audience The intended recipients. Optional
exp Expiration When the JWT should no longer be accepted. Optional
nbf Not Before When the JWT should begin being accepted. Optional
iat Issued At Numeric date of issuance Optional
jti JWT ID The UID for the JWT Optional

JWT claims can be extended to meet the needs of an app. These claims can be customized and should always be inspected for goodies.


The signature is declared within the header, and can also be encrypted.

JWTs can be spotted in the wild, as the resultant mass is base64 encoded and is not really inconspicuous. As they are used for authentication, if you see a massive cookie with two "."s beginning with "eyj", it's worth running it through JWT.io or a BurpSuite extension to see what you've been granted.

Security Concerns

As far as I know (and I don't), there is nothing inherently bad with the JWT standard. The main three issues potentially affecting the security of your JWT secured app are: