JWT Security Best Practices: Token Storage, Algorithms & Revocation
Security best practices for JSON Web Tokens: algorithm selection, token storage, expiration, refresh patterns, revocation strategies, and common vulnerabilities to avoid.
Last updated:
Frequently Asked Questions
Should I use HS256 or RS256 for JWT signing?
Use RS256 (or ES256) in production. Asymmetric algorithms let you distribute the public key for verification without exposing the private signing key. HS256 requires sharing the same secret between signer and verifier, which is a security risk in distributed systems.
Where should I store JWTs?
HttpOnly cookies with the Secure and SameSite flags are the safest option for web applications — they are not accessible to JavaScript. Avoid localStorage (vulnerable to XSS). For mobile apps, use the platform secure storage (Keychain on iOS, Keystore on Android).
How do I revoke a JWT?
JWTs are stateless, so true revocation requires server-side state. Options: use short-lived access tokens (5-15 minutes) with refresh tokens, maintain a deny list of revoked token IDs (jti claim), or use token families where revoking one token invalidates the entire family.
Stay up to date
Get notified about new guides, tools, and cheatsheets.
Related Cheatsheets
Related Guides
What is a JWT? A Developer Guide to JSON Web Tokens
Learn how JSON Web Tokens work, their structure, use cases, and common pitfalls.
Environment Variables Security: Secrets, Leaks & Best Practices
Why environment variables are not truly secure and what to do about it. Covers secret rotation, leak detection, client-side exposure risks, and when to use a dedicated secrets manager.
How to Share .env Files With Your Team Securely
Never commit .env files to Git. Compare secure sharing methods: 1Password CLI, Doppler, AWS Secrets Manager, HashiCorp Vault, and encrypted git with SOPS.