JWTJSON Web Token
A compact, signed token format that encodes claims (like a user ID and expiry) and can be verified without a database lookup.
· Reviewed by senior engineers
A JSON Web Token (JWT) is a compact, URL-safe token format consisting of three base64url-encoded parts: header, payload and signature. The payload is JSON claims — typically a user ID, an issuer, an expiry and any custom data. The signature lets the recipient verify the token was issued by a trusted party without calling back to a database.
JWTs are useful for stateless authentication between services. An API gateway issues a token, downstream services validate the signature locally, and you avoid a round-trip to the auth server on every request. They are also the standard payload for OAuth/OIDC ID tokens.
The failure modes are well-known. JWTs are not encrypted by default — anyone can read the claims. They cannot be revoked without an external denylist, so long expiry windows are dangerous. Using JWTs as session cookies in browsers is contentious because XSS-stolen tokens are hard to invalidate. The alg=none vulnerability and weak HS256 secrets have caused real breaches.
Devinsta uses JWTs for service-to-service tokens and OIDC ID tokens, with short expiries, asymmetric signing (RS256 or EdDSA), and a refresh-token rotation strategy where they back user sessions. We default to opaque session cookies for browser-facing sessions unless a stateless requirement justifies otherwise.
