JSON Web Token (JWT)

A JSON Web Token (JWT) is a compact, URL-safe format for representing claims between two parties. It’s defined by RFC 7519 and widely used for OpenID Connect (OIDC) ID tokens, OAuth 2.0 access tokens, and API authentication. A JWT is digitally signed (JWS) or encrypted (JWE) to ensure integrity or confidentiality.

Key Capabilities

  • Compact structure: Consists of three Base64URL-encoded parts — header, payload, and signature.

  • Integrity via JWS: The most common form, a JSON Web Signature (JWS), ensures data integrity through cryptographic signing.

  • Confidentiality via JWE: JWTs can also be encrypted using the JSON Web Encryption standard.

  • Standards alignment: Forms the token format for OIDC ID tokens, OAuth 2.0 bearer tokens, and FAPI profiles.

Limitations

  • No built-in revocation: JWTs are self-contained; once issued, they remain valid until expiration. Token revocation must be handled via blacklists or short lifetimes.

  • Token size: Larger than opaque tokens due to embedded claims; can increase HTTP header or cookie payloads.

  • Key rotation management: Requires publishing JWKS endpoints and rotating signing keys securely.

  • Not an identity protocol: JWT is only a format — authentication, consent, and lifecycle are handled by higher-level frameworks like OAuth 2.0 or OIDC.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales