JSON Web Token (JWT)

Last Updated : 3 Jun, 2026

JSON Web Token (JWT) is a compact and secure method for transmitting information between parties as a JSON object. It is commonly used for authentication and authorization in web applications, allowing users to access protected resources without repeatedly providing credentials. Key features include:

  • Stateless Authentication: Stores user information in a token, reducing the need for server-side session storage.
  • Secure Data Exchange: Uses digital signatures to verify that the token has not been altered.
  • Compact Format: Consists of three parts—Header, Payload, and Signature—encoded into a single string.
  • Widely Supported: Works across different programming languages and platforms.

JWT Structure

JWT mainly consists of 3 components, separated by dots(.):

Header. Payload. Signature
structure_of_a_json_web_token_jwt_
Structure of a JWT

1. Header

The header contains metadata about the token, including the signing algorithm and token type.

{
    "alg": "HS256",
    "typ": "JWT"
}

where,

  • alg: Algorithm used for signing (e.g., HS256, RS256).
  • typ: Token type, always "JWT".

Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

2. Payload

The payload contains the information about the user also known as a claim and some additional information including the timestamp at which it was issued and the expiry time of the token.

{
    "userId": 123,
    "role": "admin",
    "exp": 1672531199
}

Common claim types:

  • iss (Issuer): Identifies who issued the token.
  • sub (Subject): Represents the user or entity the token is about.
  • aud (Audience): Specifies the intended recipient.
  • exp (Expiration): Defines when the token expires.
  • iat (Issued At): Timestamp when the token was created.
  • nbf (Not Before): Specifies when the token becomes valid.

Example:

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzA4MzQ1MTIzLCJleHAiOjE3MDgzNTUxMjN9

3. Signature

The signature ensures token integrity and is generated using the header, payload, and a secret key. 

HMACSHA256(
    base64UrlEncode(header) + "." + base64UrlEncode(payload),
    secret
)

Example:

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Final JWT token:

After all these steps the final JWT token is generated by joining the Header, Payload and Signature via a dot. It looks like as it is shown below.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzA4MzQ1MTIzLCJleHAiOjE3MDgzNTUxMjN9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT Authentication Working

JWT is used for authentication. This is the whole flow of the Authentication process:

client

Here are the key steps:

  • Login Request: The user logs in through the client application (e.g., web or mobile app) by sending their credentials (username & password) to the server.
  • Server Generates JWT: If the credentials are correct, the server generates a JWT token using a secret key.
  • Returns JWT: The server sends the JWT back to the client application.
  • Further Requests with JWT: For any subsequent requests, the client sends the JWT along with the request. The server verifies the JWT before granting access to protected resources.

Note: JWTs are primarily used for authentication and secure data exchange in web applications and APIs.

Hand-On Lab: JWT

Below is a step‑by‑step hands‑on lab on JWT authentication bypass due to an unverified signature. We are using PortSwigger to work through this hands‑on lab. Access the lab at the following link:

JWT authentication bypass via unverified signature

Step 1: Understand the Lab and Set Up Burp Suite

  • In Burp Suite, ensure the Proxy module is active. You can turn intercept on initially to capture requests or rely on HTTP history.
  • Click on Access the lab on portswigger.
image---2025-09-27T180038271

Step 2: Log In and Capture the Session Token

On the lab website, log in using the credentials wiener:peter.

image---2025-09-27T164105381
  • After logging in, navigate to My account.
  • In Burp Suite, go to Proxy > HTTP history and find the GET /my-account request made after logging in.
file

Step 3: Decode and Analyze the JWT

  • In Burp Suite, select the GET /my-account request in Repeater.
  • Highlight the JWT in the Cookie header (e.g., session=eyJ...).
  • In Burp’s Inspector panel (usually on the right), the JWT will automatically be decoded into its Header, Payload, and Signature components.
image---2025-09-27T164109986

Step 4: Test Admin Access

  • In Burp Repeater, modify the GET /my-account request by changing the path to /admin.
  • Observe the response. You’ll likely get an error or a message indicating that only the administrator user can access the /admin endpoint.
file

Step 5: Modify the JWT to Impersonate Administrator

  • In Burp Repeater, select the JWT in the Cookie header of the GET /admin request.
  • In the Inspector panel, locate the Payload section.
  • Change the sub claim from wiener to administrator.
jwt6
  • Click Apply changes in the Inspector panel. Burp will automatically re-encode the JWT
  • Send the modified GET /admin request.
  • The server accepts the modified JWT and grants access to the /admin panel.
file

Step 6: Delete the User Carlos

  • In Repeater, right-click the request and forward it to the browser. Copy the resulting link, paste it into your browser, and it will display the option to delete users.
file
  • In the /admin response, locate the URL for deleting the user carlos. It will likely be a link like: 
/admin/delete?username=carlos
  • Set the request to: GET /admin/delete?username=carlos.
file
  • The server processes the delete request, removing the user carlos.
  • The lab should display a “Solved” message.
file

Security Considerations

When working with JWTs, keep these best practices in mind to ensure safe and reliable authentication:

  • Use HTTPS: Prevent man-in-the-middle attacks by transmitting JWTs over HTTPS, which send token in encrypted form instead of plain text.
  • Set Expiration Time: Prevent long-lived tokens that can be exploited. Set fixed time, after which the token will automatically be destroyed.
  • Use Secure Storage: Store JWTs securely. For example: HttpOnly cookies instead of local storage.
  • Verify Signature: Always validate the token's signature before trusting its content.

Common Issues During Development with JWT

  • JWT Rejected: The server could not verify the token. This can happen if the token has expired, the signature is invalid, or the claims do not match the expected details.
  • Token Does Not Support Required Scope: The token does not include the permissions needed for the action. For example, it may allow only reading data, but the app requires write access.
  • JWT Decode Failed: The token is not in the correct format or not properly encoded, so the client cannot read it.
Comment
Article Tags:
Web Tech
JSON
JavaScript-JSON

Explore