Devii · APIs & integration · 2026-03-11 · 8 min read
JSON Web Tokens: Signed Claims, Expiry, And Limits As Session Stores
RFC 7519 structure, validation steps, and why JWTs are not a substitute for server-side revocation by default.
A **JSON Web Token (JWT)** (RFC 7519) encodes claims as JSON, then signs or encrypts them (JWS/JWE). Common layouts: header.payload.signature with Base64URL encoding.
Validators must check **signature** with the correct key, **`exp`**, **`nbf`**, **`iss`**, and **`aud`**. Algorithms should be explicit; reject `none`.
JWTs are **stateless for the verifier** if you only check crypto and time. Revocation before expiry requires blocklists, short lifetimes plus refresh tokens, or session stores. Do not put secrets in JWT payloads; payloads are readable (only integrity-protected).
OIDC ID tokens are JWTs in typical flows; access tokens may be opaque depending on provider. Read RFC 8725 (JWT BCP) for algorithm and key management guidance.