JWTs are credentials, not secrets
A JSON Web Token proves a claim between parties. Treat every JWT like a session cookie — protect it in transit and storage.
Must-verify checklist
- Validate signature with the correct algorithm and key
- Enforce exp (expiration) and optional nbf
- Match aud (audience) and iss (issuer) when applicable
- Never accept
alg: none
Common mistakes
- Storing JWTs in localStorage on XSS-prone sites
- Long-lived access tokens without refresh rotation
- Putting sensitive PII in the payload (JWTs are only encoded, not encrypted)
Inspect tokens safely with the JWT Decoder — decoding happens client-side.