JWT Best Practices Checklist
JSON Web Tokens (JWTs) are widely used for authentication and authorization, but they come with security considerations that developers must address carefully.
Key Management
- Use strong secrets: Minimum 256-bit keys for HS256; 2048-bit RSA for RS256
- Rotate secrets regularly: Implement key rotation with the
kidheader claim - Never hardcode secrets: Store in environment variables or a secrets manager
- Use separate keys per environment: Development, staging, and production must use different keys
Token Design
- Set short expiration times: Access tokens should expire in 15–60 minutes
- Include only necessary claims: Don't embed sensitive data in the payload
- Validate the
audclaim: Ensure tokens are intended for your service - Always specify the algorithm: Never use
alg: none
Transmission & Storage
- Use HTTPS exclusively: Never transmit tokens over unencrypted connections
- Store in httpOnly cookies: Prevents JavaScript access and XSS attacks
- Implement CSRF protection: When using cookie storage
- Don't store in localStorage: Vulnerable to XSS attacks
Validation
- Verify the signature: Always validate before trusting any claim
- Check expiration (
exp): Reject expired tokens immediately - Validate
issandaud: Confirm token issuer and audience - Use a well-maintained library: Don't implement JWT parsing yourself
Revocation
- Implement token blacklisting: For immediate revocation needs
- Use refresh token rotation: Issue new refresh tokens on each use
- Monitor for anomalies: Track unusual usage patterns
Following these practices will significantly reduce your JWT security risk surface.