Devii · APIs & integration · 2026-03-11 · 8 min read

Share

JSON Web Tokens: Signed Claims, Expiry, And Limits As Session Stores

RFC 7519 structure, validation steps, and why JWTs are not a substitute for server-side revocation by default.

A **JSON Web Token (JWT)** (RFC 7519) encodes claims as JSON, then signs or encrypts them (JWS/JWE). Common layouts: header.payload.signature with Base64URL encoding.

Validators must check **signature** with the correct key, **`exp`**, **`nbf`**, **`iss`**, and **`aud`**. Algorithms should be explicit; reject `none`.

API gateway configuration
API gateway configuration

JWTs are **stateless for the verifier** if you only check crypto and time. Revocation before expiry requires blocklists, short lifetimes plus refresh tokens, or session stores. Do not put secrets in JWT payloads; payloads are readable (only integrity-protected).

OIDC ID tokens are JWTs in typical flows; access tokens may be opaque depending on provider. Read RFC 8725 (JWT BCP) for algorithm and key management guidance.