JWT Glossary

JSON Web Token — a compact, URL-safe token format (header.payload.signature) used to transmit claims

JSON Web Signature — the signed JWT format defined in RFC 7515. Most JWTs in production are JWS toke

JSON Web Encryption — an encrypted token format (RFC 7516) where the payload is encrypted, not just

JSON Web Key — a JSON data structure representing a cryptographic key. Used in JWKS documents for RS

JSON Web Key Set — a JSON document containing an array of public keys (JWKs). OIDC providers publish

A name/value pair inside the JWT payload. Registered claims (exp, sub, iss) are standardized; privat

The first segment of a JWT, Base64URL-encoded JSON typically containing alg (algorithm) and typ (tok

The second segment of a JWT containing claims — user ID, roles, expiration, issuer, and custom data.

The third segment of a JWT, created by signing header.payload with a secret (HS256) or private key (

Algorithm header claim specifying how the signature was created (e.g. HS256, RS256, ES256). Must mat

Expiration Time claim — Unix timestamp after which the token must be rejected. Always validate serve

Issuer claim — identifies who created the token, usually your auth server URL. Validate against expe

Audience claim — identifies intended recipients (API identifier or client ID). Prevents token misuse

Subject claim — unique identifier for the user or entity the token represents.

Issued At claim — Unix timestamp when the token was created. Useful for freshness checks and debuggi

Not Before claim — Unix timestamp before which the token must not be accepted. Prevents premature us

JWT ID claim — unique token identifier for revocation lists and replay prevention.

Key ID header parameter — references which key in a JWKS was used to sign the token.

HMAC-SHA256 symmetric signing algorithm. Same secret signs and verifies. Simple but requires secure

RSA-SHA256 asymmetric signing. Private key signs; public key verifies. Standard for OIDC and enterpr

ECDSA with P-256 and SHA-256. Compact keys, widely used by Apple, Google, and modern OIDC providers.

URL-safe Base64 encoding used in JWTs. Replaces +/ with -_ and omits padding. Not encryption — anyon

HTTP Authorization scheme where the client sends Authorization: Bearer <token>. Whoever holds the to

Short-lived token authorizing API access. OAuth 2.0 access tokens are often JWTs but can be opaque s

Long-lived token used to obtain new access tokens without re-authentication. Must be stored securely

OpenID Connect token containing user identity claims. Always a JWT. Not used for API authorization —

Identity layer on OAuth 2.0. Adds ID tokens, standardized claims, and discovery endpoints including

Authorization framework for delegated access. Often issues JWT access tokens but does not require JW

OAuth permission string (e.g. openid profile email) defining what access a token grants.

OAuth endpoint (/oauth/token) where clients exchange credentials or codes for access and refresh tok

Small time difference between servers. JWT libraries typically allow 30–60 seconds leeway on exp/nbf

Security vulnerability where attackers set alg:none to bypass signature verification. Always reject

Periodic replacement of signing keys. JWKS may contain multiple keys; kid header identifies the acti

Invalidating tokens before expiry via blocklists, short TTLs, or refresh token rotation. JWTs are st

Proof Key for Code Exchange — OAuth extension preventing authorization code interception. Required f

Standard path for OIDC discovery (/.well-known/openid-configuration) and JWKS (/.well-known/jwks.jso

The IETF standard defining JSON Web Token (JWT) structure and registered claims.

The IETF standard for JSON Web Signature (JWS) — how JWT signatures are created and verified.