Common JWT Mistakes

JWT bugs often come from treating a compact token as if it were a trusted session record. The format is simple, but the validation rules matter.

Trusting decoded payloads

The payload is readable JSON. Anyone can create a token-shaped string with arbitrary fields. Never grant access just because a decoded payload contains admin: true or a familiar sub.

Ignoring audience and issuer

A token issued for one API should not automatically work for another. Always check iss and aud according to your identity provider and service boundary.

Accepting unexpected algorithms

Applications should allow only the algorithms they expect. Algorithm confusion bugs happen when a verifier accepts a header value that changes how signatures are checked.

Mishandling expiration

Check exp against the current time using seconds, not milliseconds. Also decide how much clock skew your system allows, especially across distributed services.

Leaking tokens

JWTs are often bearer credentials. If someone can use the token, they may act as the subject until it expires or is revoked. Avoid putting tokens in logs, screenshots, issue trackers, or analytics events.