Header & Payload Best Practices
Detailed guide on using the JWT Encoder.
JWT Header & Payload Best Practices
Header Guidelines
Required Fields
Always include alg in the header — it specifies the signing algorithm used.
Common Header Parameters
typ: Typically "JWT". Optional but recommended.kid: Key ID — hints which key was used. Essential when rotating keys.cty: Content type — rarely used, only for nested JWTs.
Security-Critical Rules
- Never accept "none" algorithm in production — always validate the algorithm matches what you expect
- Validate the
typif your application handles multiple token types - Use
kidproperly — ensure it maps to a known, valid key
Payload Best Practices
Registered Claim Names
Use these standard claims for interoperability:
iss(Issuer) — Case-sensitive string or URI identifying the principal that issued the JWTsub(Subject) — Identifies the subject of the JWT (usually a user ID)aud(Audience) — Recipient(s) the JWT is intended forexp(Expiration Time) — Unix timestamp after which the JWT must not be acceptednbf(Not Before) — Unix timestamp before which the JWT must not be acceptediat(Issued At) — Unix timestamp when the JWT was issuedjti(JWT ID) — Unique identifier; prevents replay attacks
Custom Claims
Use namespaced names to avoid collisions:
{
"https://api.example.com/roles": ["admin", "editor"]
}Common Mistakes to Avoid
- Storing sensitive data — JWTs are signed, not encrypted. Anyone with the token can read the payload
- Missing expiration — Always set
expto limit token lifetime - Oversized payloads — Large payloads increase token size and bandwidth usage
- Using
iatwithoutexp— Issued-at alone doesn't limit token validity