Skip to content

JSON Web Token

Service Name: JSON Web Token (JWT)

Service Description: JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Service Address: https://jwt.io/

Validation Type: API Auth

IP Allow list: Does not exist at the token level. IP restrictions would need to be implemented at the application or service level that consumes the JWT.

Secret Access Scope: Grants access to protected resources based on the claims contained within the token. The scope depends on the specific implementation and the claims included in the token payload.

Secret Revokement URL: Does not exist directly. JWTs are typically revoked by: 1. Setting a short expiration time 2. Implementing a token blacklist 3. Rotating signing keys

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Suspicious Activity Investigation Instructions:

  • Decode the JWT to examine its payload and verify if the claims are appropriate.
  • Check the token's expiration time to ensure it hasn't been manipulated.
  • Verify the token signature using the appropriate secret or public key.
  • Review application logs for unusual token usage patterns or access attempts.
  • Monitor for tokens being used from unexpected IP addresses or locations.
  • Check for multiple failed token validation attempts which might indicate brute force attacks.

Mitigation Instructions:

  • Rotate the JWT signing key/secret immediately.
  • Update all legitimate clients with the new signing key.
  • Implement a token blacklist for the compromised tokens.
  • Consider reducing token expiration times to minimize the window of vulnerability.
  • Ensure proper validation of tokens including signature verification, expiration checks, and audience validation.
  • Implement additional security measures such as IP-based restrictions or multi-factor authentication.
  • Review and update JWT implementation to follow security best practices.
  • Consider implementing a centralized authentication service like OAuth 2.0 with proper token management.