Best of JWT2025

  1. 1
    Article
    Avatar of dotnetsquad.NET·1y

    Do you store the JWT in localStorage, sessionStorage, Cookies? then this post is for you

    Storing JWTs in vulnerable client-side storage (like localStorage, sessionStorage, or cookies) can expose applications to significant security risks. Alternatives include using in-memory storage and implementing a refresh token mechanism. This allows users to maintain their sessions without re-authenticating upon page reloads while mitigating potential attacks. Setting cookies with httpOnly, Secure, and SameSite flags is crucial for security. A short-lived JWT with periodic refreshing enhances protection.

  2. 2
    Article
    Avatar of medium_jsMedium·35w

    Authentication Explained: When to Use Basic, Bearer, OAuth2, JWT & SSO

    Authorization controls what users can do after authentication through three main models: RBAC assigns permissions to roles, ABAC uses attributes and context for fine-grained control, and ACL attaches permissions to individual resources. Real applications like GitHub and Stripe often combine these models. OAuth2 enables delegated authorization without sharing credentials, while JWTs and bearer tokens carry user identity and permissions across systems. The key is choosing the right combination of models and mechanisms based on your application's complexity and security requirements.

  3. 3
    Article
    Avatar of gitguardianGitGuardian·1y

    Authentication and Authorization Best Practices

    Authentication verifies the identity of a user making an API request, while authorization determines if the user has permission to access a specific API. Various methods such as basic auth, API keys, JWT, and OAuth have their use cases and best practices. These include using HTTPS, secure storage, least privilege principle, and regular security audits. Common mistakes to avoid involve using HTTP, storing API keys in code, and ignoring input validation.

  4. 4
    Article
    Avatar of bytebytegoByteByteGo·47w

    EP164: JWT Simply Explained

    JSON Web Tokens (JWT) provide a secure method for transmitting information between parties using an open standard. They are primarily used for authentication and authorization. A JWT comprises a header, payload, and signature, with two signature types: symmetric and asymmetric, based on the use of secret and public keys. JWTs are integral to modern web applications, ensuring secure data exchange.

  5. 5
    Article
    Avatar of systemdesignnewsSystem Design Newsletter·49w

    The System Design Newsletter

    The post explains the concept of JSON Web Tokens (JWT) and their structure, as well as their role in user authentication and authorization. It highlights the advantages of using JWT in distributed systems for scalability and ease of managing user sessions across servers. The post also addresses potential security risks associated with JWT and offers tips for mitigating these risks.

  6. 6
    Video
    Avatar of philipplacknerPhilipp Lackner·1y

    Full 2025 Backend Dev Crash Course for Beginners With Spring Boot (Kotlin, JWT Auth, MongoDB)

    The post is a beginner-friendly crash course for building REST APIs using Spring Boot and Kotlin. It covers the basic knowledge required to follow along, including a brief overview of Kotlin and IntelliJ setup. The course aims to familiarize readers with building a backend application that can handle routes, process data, and interact with MongoDB for storing user-generated notes. Authentication and security are also discussed, with JWT being used as the authentication mechanism.

  7. 7
    Article
    Avatar of freecodecampfreeCodeCamp·37w

    How to Implement Zero-Trust Authentication in Your Web Apps

    Zero-trust authentication replaces traditional perimeter-based security by continuously verifying every user, device, and request. The implementation involves multi-factor authentication with TOTP, secure JWT management with short-lived tokens and refresh mechanisms, role-based access control with fine-grained permissions, continuous verification through device fingerprinting and behavioral analysis, and automated security monitoring with threat detection and response systems. This approach reduces breach costs, improves compliance, and provides better protection against modern threats like credential theft and insider attacks.

  8. 8
    Article
    Avatar of snykSnyk·1y

    JWT Security Risk: Prevention & Best Practices

    JSON Web Tokens (JWTs) are used for secure authentication and information transmission due to their digitally signed nature. However, misuse can lead to severe security risks. The post highlights the structure of JWTs, their role in APIs and microservices, popular npm packages for JWT in Node.js, and common security pitfalls, including a demonstration of insecure JSONwebtoken.decode() usage. Snyk can detect such vulnerabilities and suggests using jsonWebToken.verify() instead. Recommendations for JWT security best practices include using strong secret keys, HTTPS transmission, proper token expiration and revocation, and secure management of environment variables.

  9. 9
    Article
    Avatar of infosecwriteupsInfoSec Write-ups·38w

    One Tool to Rule JWTs — Easy JWT Pentesting with JWTAuditor

    JWTAuditor is an open-source, privacy-focused JWT security testing tool that performs all analysis locally in the browser without sending tokens to external servers. It automatically detects over 15 types of JWT vulnerabilities, includes built-in brute force testing with 10,000+ common secrets, and features a visual token editor with syntax highlighting. The tool addresses privacy concerns with online JWT analyzers by keeping all data client-side while providing comprehensive security analysis including algorithm validation, sensitive data detection, and security claim verification.

  10. 10
    Article
    Avatar of microservicesioMicroservices.io·39w

    Authentication and authorization in a microservice architecture: Part 3 - implementing authorization using JWT-based access tokens

    Explores implementing authorization in microservices using JWT-based access tokens, covering four strategies for obtaining distributed authorization data: provide (embedding data in tokens), fetch (dynamic retrieval), replicate (local copies), and delegate (authorization service). Discusses JWT limitations including coupling risks, token staleness, size constraints, and security concerns. Uses RealGuardIO application examples to demonstrate when access token authorization works well for simple RBAC scenarios versus complex authorization requiring remote data from multiple services.

  11. 11
    Video
    Avatar of dreamsofcodeDreams of Code·38w

    Better Auth is so good that I **almost** switched programming languages

    Better Auth is a TypeScript authentication library that offers comprehensive features like two-factor authentication, organizations, and payment integrations through plugins. While the author prefers Go for backend development, Better Auth's capabilities are compelling enough to consider switching languages. The tutorial demonstrates how to integrate Better Auth with a Go backend using JWT tokens, covering token generation, verification with JWK endpoints, and different approaches for authenticated requests including client-side caching and server-to-server proxying through Next.js.

  12. 12
    Article
    Avatar of javarevisitedJavarevisited·1y

    JWT Authentication with Spring 6 Security

    Learn how to implement JWT authentication with Spring 6 Security using best practices. This guide walks through setting up a Spring Boot project, configuring JWT authentication, and integrating MongoDB for user data. It covers creating JWT tokens, adding security configurations, and testing endpoints. The aim is to secure a social media app with user authentication and authorization.

  13. 13
    Article
    Avatar of javarevisitedJavarevisited·52w

    Authentication & Authorization with Spring Security

    Spring Security is a robust framework for implementing authentication and authorization in Java applications. Key concepts like authentication vs. authorization, real-world analogies, user registration and login flow, password encryption, JWT token usage, and secure handling of access and refresh tokens are covered. Practical implementation steps and best practices for securing your Spring Boot application are also provided.

  14. 14
    Article
    Avatar of logrocketLogRocket·50w

    Authentication and authorization in Astro

    Astro's unique islands architecture presents challenges for authentication and authorization, requiring manual handling using middleware for protected routes. This guide demonstrates integrating authentication, leveraging Astro’s SSR capabilities, and using JWTs for a vehicle rental app. It details database setup, React and Tailwind integration, and server actions for user management. Route protection ensures admin-only access with detailed steps.

  15. 15
    Article
    Avatar of techleaddigestTech Lead Digest·44w

    The Ultimate Guide to JWT Vulnerabilities and Attacks (with Exploitation Examples)

    JWT vulnerabilities pose serious security risks in modern web applications. Common attacks include signature bypass, algorithm confusion (switching from RS256 to HS256), weak secret brute-forcing, and injection attacks through header parameters like 'kid' and 'jku'. The guide covers exploitation techniques for each vulnerability type, from trivial signature removal to sophisticated ECDSA psychic signature attacks. Key defense strategies include strict algorithm validation, secure key management, input sanitization, and proper signature verification implementation.

  16. 16
    Article
    Avatar of javarevisitedJavarevisited·23w

    Why I Implemented a Custom Serializer/Deserializer for JJWT Instead of Using jjwt-jackson

    A developer explains their decision to build a custom JSON serializer/deserializer for JWT handling instead of using the popular Jackson library. The custom implementation reduces security vulnerabilities from external dependencies, maintains framework consistency with existing tooling, provides better control over predictable JWT payloads, and eliminates unnecessary complexity. The lightweight codec integrates seamlessly with JJWT through its SPI mechanism while keeping the codebase transparent and maintainable.

  17. 17
    Article
    Avatar of freecodecampfreeCodeCamp·30w

    Master Authentication and Authorization in ASP.NET

    A comprehensive course covering authentication and authorization in ASP.NET applications. Learn to set up Identity tables with Entity Framework Core, configure JWTs, create authentication controllers, manage user registration and login, handle access and refresh tokens, and implement role-based authorization for secure web applications.

  18. 18
    Article
    Avatar of newstackThe New Stack·32w

    Apache Kafka 4.1: The 3 Big Things Developers Need To Know

    Apache Kafka 4.1 introduces three major developer-focused features: Queues for Kafka (KIP-932) enabling cooperative message consumption with per-message acknowledgment, native JWT-Bearer authentication support eliminating static credentials, and a new Kafka Streams rebalance protocol for better coordination. The release also includes improvements to consumer group protocols, transaction handling, and unified metrics.

  19. 19
    Article
    Avatar of awegoAwesome Go·46w

    JSON Web Tokens in Go

    JWT (JSON Web Tokens) is an open standard for securely transmitting information between parties. The guide covers JWT structure (header, payload, signature), explains the difference between symmetric (HS256) and asymmetric (RS256) signing methods, and provides a complete Go implementation using the golang-jwt library and Echo framework. It demonstrates how to generate RSA keys, create a login endpoint that issues JWTs, implement middleware for token verification, and follows security best practices including using RS256 signing and HTTPS.

  20. 20
    Article
    Avatar of supabaseSupabase·36w

    Supabase Auth: Build vs. Buy

    Supabase Auth offers a Postgres-native authentication solution that significantly reduces development time and costs compared to building custom auth systems. The service provides JWT-based authentication with Row Level Security integration, supporting multiple providers and security features. Building authentication from scratch typically requires 320-680 hours in the first year, while Supabase Auth can be implemented in 4-24 hours, representing potential savings of $47,400-$98,700. The comparison with Auth0 shows Supabase's advantages in cost predictability, database integration, and open-source flexibility, though Auth0 excels in enterprise features. Teams should only build custom auth for specialized compliance requirements, legacy system integration, or unique authentication flows.

  21. 21
    Article
    Avatar of fusionauthFusionAuth·1y

    What are JSON Web Tokens (JWTs)?

    JSON Web Tokens (JWTs) provide a secure method for transmitting data between an authentication server and an application. Learn the details in this short video.

  22. 22
    Article
    Avatar of bytebytegoByteByteGo·1y

    TEST EP149: JWT 101: Key to Stateless Authentication

    Learn to build and optimize a low-latency Rust application in a hands-on developer workshop, and explore the fundamentals of JSON Web Tokens (JWT) for secure, stateless authentication. Discover system design concepts such as Docker's importance, the workings of digital signatures, and the architectural evolution of Airbnb.

  23. 23
    Article
    Avatar of hnHacker News·23w

    WICG/email-verification-protocol: verified autofill

    A proposed web standard for verifying email addresses without sending verification emails or leaving the current page. The protocol uses DNS delegation, SD-JWT tokens with key binding, and browser mediation to enable mail domains to delegate verification to an issuer. The browser requests a token from the issuer using authentication cookies, verifies it, and provides it to the web application. This approach enhances privacy by preventing issuers from learning which applications users are accessing, while eliminating the friction of traditional email verification flows that cause user drop-off.

  24. 24
    Article
    Avatar of freecodecampfreeCodeCamp·41w

    What Are JSON Web Tokens (JWT)?

    JSON Web Tokens (JWT) are digitally signed, self-contained tokens used for secure authentication between systems. JWTs consist of three parts: header (metadata), payload (claims/data), and signature (verification). They can be signed using symmetric algorithms like HS256 with shared secrets or asymmetric algorithms like RS256 with public/private key pairs. The signature ensures authenticity and integrity without requiring server-side session storage. Key security practices include using HTTPS, keeping tokens short-lived, implementing refresh tokens, protecting signing keys, and never storing sensitive data in the payload.

  25. 25
    Article
    Avatar of systemdesigncodexSystem Design Codex·32w

    JWT versus PASETO

    JWT and PASETO are both token-based authentication mechanisms for secure client-server communication. JWT is widely adopted but has security pitfalls like algorithm confusion attacks and complex configuration choices. PASETO was designed as a safer alternative with secure defaults, enforced modern cryptography, and simplified specifications to prevent developer errors. While JWT has better ecosystem support and adoption, PASETO offers improved security through its opinionated approach that removes insecure options.

See all JWT archives