Jwt Security

What it does

This skill provides expert guidance on implementing secure JSON Web Token (JWT) authentication and authorization workflows. It focuses on best practices for JWT creation, signing, and validation, emphasizing that JWT security depends heavily on proper implementation rather than inherent token properties. The skill helps ensure tokens are handled securely by recommending specific algorithms, payload structures, and lifetime guidelines.

When to use it

• When designing or implementing authentication systems using JSON Web Tokens (JWTs).
• To review existing JWT implementations for potential security vulnerabilities.
• For guidance on selecting appropriate signing algorithms (RS256, ES256, EdDSA, HS256) based on your needs and environment.
• When needing to implement key rotation strategies for JWT signatures.
• To ensure compliance with JWT security best practices.

Key capabilities

• Provides guidance on JWT structure (Header, Payload, Signature).
• Recommends specific header attributes like kid for key rotation and typ: "JWT".
• Defines required and recommended payload claims (iss, sub, aud, exp, iat, nbf, jti).
• Suggests appropriate signing algorithms (RS256, ES256, EdDSA, HS256) with considerations for security.
• Offers guidelines on token lifetime management (access tokens, refresh tokens, ID tokens, etc.).
• Advises against storing sensitive data within JWT payloads.

Example prompts

• "What are the best practices for including a key identifier in a JWT header?"
• "Explain the difference between RS256 and HS256 signing algorithms."
• "How can I implement token refresh mechanisms to maintain security while extending user sessions?"
• “What claims should be included in a JWT payload?”

Tips & gotchas

• Always validate tokens server-side, even for internal services.
• Prioritize asymmetric signing algorithms (RS256, ES256, EdDSA) whenever possible.
• Keep token lifetimes short and implement refresh mechanisms to minimize the impact of compromised tokens.