Common JWT Security Mistakes Developers Should Avoid
A developer checklist for JWT algorithms, expiry, issuer, audience, signature verification, token storage, and safe debugging.
Decoding is not verification
JWT header and payload segments are only Base64URL encoded. Anyone can decode them. An API must verify the signature with the expected key and reject tokens signed with unexpected algorithms or issuers.
Use a decoder for debugging claim shape and expiry, but never treat decoded claims as trusted until server-side verification has succeeded.
Validate the expected audience and issuer
A token issued for one API should not automatically work against another API. Check issuer and audience so tokens cannot be replayed across environments, tenants, or services.
Short expirations, rotation, and clear handling of clock skew reduce the blast radius when a token leaks.
Keep tokens out of shared artifacts
Bearer tokens in screenshots, HAR files, logs, shell history, and support tickets are common sources of accidental exposure. Redact them before sharing and rotate any token that may have leaked.
Related tools
API & Auth
OpenJWT Security Inspector
Decode JWTs, inspect expiry, issuer, audience, algorithm choices, and common token security mistakes.
API & Auth
OpenJWT Decoder
Decode JWT headers and payloads, inspect claims, and check expiry fields at a glance.
API & Auth
OpenHeader Parser
Parse raw HTTP headers into readable key and value pairs for request and response debugging.