What’s a JSON Web Token? The JSON object is digitally signed using a JSON Web Signature (JWS) and optionally encrypted using JSON Web Encryption (JWE).
Authentication Steps: Login with username and password Cookies Web Storage (session/local) Client Action send username & password Server Action verify username & password
Cookies Web Storage (session/local) Server Action Set `Cookie` Header with JWT Set response body with JWT Client Action No action Save JWT to storage Authentication Steps: Receive JWT
Cookies Web Storage (session/local) Client Action No action Set `Authorization` Header with JWT Server Action Parse `Cookie` Header and verify JWT Parse `Authorization` Header and verify JWT Authentication Steps: Use JWT for subsequent requests
Cookies Web Storage (session/local) Client Action Set expiration to a past date Clear storage value Server Action No action No action Authentication Steps: “Logout” by deleting JWT
Cookies Web Storage (session/local) MITM set `Secure` flag use HTTPS CSRF set `X-XSRF-TOKEN` header No action needed XSS set `HttpOnly` flag use JSON Web Encryption (JWE)[8,9] JWT Client Storage Showdown: Exploit Mitigation Steps