Integration Galaxy LogoIntegration Galaxy
IntegrationSecurityAzure APIMWorkatoSnapLogicOracle SOANode JSMuleSoftProgramming

JWT Part 2: How to Use JSON Web Tokens (JWT) in Real Applications

Integration Galaxy
4 min read
integrationgalaxy.com: How to Use JSON Web Tokens (JWT) in Real Applications

Share this post

Now that you understand what JSON Web Tokens are, let’s explore how they are used in real-world applications and how you can work with them securely.

Practical Applications of JWT

JWTs are extremely flexible and are used in many different ways across web and mobile apps. Here are two of the most common applications:

1. Stateless Client-Side Sessions

Normally, when users log into a website, the server needs to remember who they are — typically by storing session data. But JWTs allow all the necessary information to be stored on the client-side.

This is called a stateless session, and it has some major advantages:

  • Scalability: No need for a central database to store sessions.
  • Performance: Reduced server memory and faster responses.

However, client-side sessions need to be protected carefully:

  • Always sign the JWT to prevent tampering.
  • Be careful with sensitive information — encrypt if necessary.
  • Watch out for attacks like XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery).
Important: If a user’s session is stored entirely in a JWT, and the token is stolen, the attacker can impersonate the user until the token expires.

2. Federated Identity and Single Sign-On (SSO)

JWTs also power many Single Sign-On (SSO) systems.

Imagine logging into different websites using your Google or Facebook account.
In the background, your identity provider (Google/Facebook) issues a JWT, confirming your identity.
The website you are logging into just needs to verify the JWT — without directly talking to Google each time.

This is:

  • Secure: Because the token is signed.
  • Efficient: Because the app doesn’t need to re-check every time.
  • Flexible: You can switch identity providers easily.

A Quick Look at JWT Security Concerns

Whenever you use JWTs, security must be a top priority. Here are some real-world risks:

1. Signature Stripping Attack

An attacker could try to remove the JWT signature and change the token.
If your app accepts unsigned tokens, the attacker can trick the system.

Solution: Always verify that the token is signed using the expected algorithm.

2. CSRF (Cross-Site Request Forgery)

If a JWT is stored in a cookie, malicious websites might trick a user's browser into sending unwanted requests.

Solution:
  • Use secure request headers.
  • Prefer storing tokens in localStorage or sessionStorage rather than cookies.
  • Implement CSRF protection techniques.

3. XSS (Cross-Site Scripting)

If an attacker injects JavaScript into your site, they might steal tokens from storage.

Solution:
  • Sanitize all user input properly.
  • Use the HttpOnly flag on cookies (so JavaScript can't access them).
  • Follow best practices for frontend security.

The Anatomy of a JWT: A Closer Look

Let’s break down a typical JWT structure again:

1. Header

  • Specifies the signing algorithm (e.g., HS256, RS256).
  • Usually looks like this:
{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

  • Contains the actual information (claims).
  • Example:
{
  "sub": "user123",
  "name": "Jane Doe",
  "admin": true
}
Note: Never put sensitive information like passwords inside a JWT unless it’s encrypted.

3. Signature

  • Ensures the JWT wasn't changed.
  • Generated using the header, payload, and a secret key.

When combined, the three parts form a JWT like this:

header.payload.signature

Each section is base64-url encoded and separated by dots.

How JWT Authentication Works Step-by-Step

Here’s what happens when you use JWT for authentication:

  1. User logs in with username/password.
  2. Server verifies credentials and generates a JWT.
  3. Server sends the JWT back to the client.
  4. Client stores the JWT (usually in memory or localStorage).
  5. Client sends the JWT with each request to protected APIs (typically in an Authorization header like Bearer <token>).
  6. Server validates the JWT before serving the request.

Best Practices for Working with JWTs

To use JWTs securely and effectively, remember these golden rules:

  • Always sign your JWTs using a strong, secure algorithm (RS256 is better than HS256 in many cases).
  • Set short expiration times (exp claim) to minimize the impact of stolen tokens.
  • Use HTTPS to protect tokens during transmission.
  • Store tokens securely (preferably in secure storage areas, and not in cookies unless HttpOnly and Secure flags are used).
  • Validate all claims (especially issuer iss, audience aud, and expiration exp).
  • Never trust the payload blindly — always validate the token.

Coming Up Next…

In the next part of the series, we will cover:

  • How to create and sign JWTs
  • How to verify and decode them safely
  • A walkthrough on using JWTs with Node.js and Express

Stay tuned! We'll get hands-on with code examples and make working with JWTs super easy.

0% complete
0 claps
← Back to all posts