Pros and Cons of JWTs (JSON Web Tokens) (2024)

Hello Hashnoders. 👋
JWTs are widely used throughout the internet and in this article I am going to take a deeper look at them. I hope by the end of this article, you have a better understanding of what JWTs are, how they work, their benefits and drawbacks, and finally when and when not to use them.

A JSON Web Token is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. The information can be signed digitally and verified on the other end. When tokens are signed using a key, the signature also ensures that only the party holding the key can decoded the token and read the information.

While they can be used to transmit any piece of information, they are most commonly used to validate users for Authentication by serving as Authorization Bearer tokens.

A JWT consists of three parts separated by dots.

Header
Payload
Signature

A typical JWT looks like

xxxxx.yyyyyyyy.zzzz

Let's break down the different parts.

Header 🔖

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

Example:

{ "alg": "HS256", "typ": "JWT"}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload 🧳

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data.

This is the actual data that is being transmitted.

Example:

{ "username" : "spiderman", "name" : "Peter Parker", "uuid" : "26da8586-fb7b-4126-a082-54e708152e50"}

The payload is then Base64Url encoded to form the second part of the token.

Note : Since the data is Base64 encoded, anyone can simply decode it and read it. Hence confidential information or secrets such as password should never be stored here.

Signature 🔐

The signature is created with the encoded header, encoded payload, a secret key and the algorithm specified.

This signature can be used to verify the integrity of the token. It is used to validate that the token is trustworthy and has not been tampered with. When you use a JWT, you must check its signature before storing and using it.

Short Version

Coz who reads an entire blog.

👍 Pros	👎 Cons
✅ Lesser DB Queries	⭕ More payload with every API call
✅ Token contains all required info	⭕ Trouble managing client from backend
✅ Easy to use	⭕ Secret key compromise leads to system compromise
✅ Use across services	⭕ Server cannot identify clients
✅ Fast

Long Version

Let us dive deeper into each reason to understand it better.

👍 Pros

✅ Lesser DB Queries

JWTs allow user authentication to be done without actually reading the database at all. Server can simply verify the JWT to check its authenticity and perform the required actions without needing to fetch data from the User table at all in most cases. This improves overall performance as repetitive DB queries are reduced.

✅ Token contains all required info

All in one pack. All required info regarding the user or otherwise that is necessary can be wrapped and stored inside an encrypted token.

✅ Easy to use

One of the main reasons why developers love using JWT is its ease of use and simplicity. Setting up your backend to use will take less than 5 minutes and your are good to go.

✅ Use across services

Since you don't need to verify the authenticity of the token with the DB, it is suitable for micro-service architecture where different services handle different jobs. You can set up one authentication service that issues the token and use this token across multiple services as long as they can verify the integrity of the token.

✅ Fast

Since they are very few DB queries concerned and most of the validation information is stored inside the token itself, the overall performance of the application can be boosted if JWT is used correctly.

👎 Cons

⭕ More payload with every API call

Each API call must carry the token in its headers (generally under Authorization header as Bearer token). This in turn increases the size of the network request payload. An average JWT token takes about 50 times more memory than a session token thus bloating the size of every API request.

⭕ Trouble managing client from backend

Consider the situation where the server needs to block the user or maybe update its privileges but the user already has a JWT issued. None of these changes will be reflected on the user's side until they fetch a new JWT from the server.

⭕ Secret key compromise leads to system compromise

Since the integrity of a token can be verified only with the secret key, a lot depends on it. If this secret key is compromised for some reason then the entire mechanism fails and it leads to a system compromise. Giving this kind of power to a single developer or a variable doesn't seem appropriate.

⭕ Server cannot identify clients

Once the token is issued, the server has no idea whether the client is active or not. It is only when they ask for a refreshed token that the server actually gets to know their status. The server has no way to identify the number of active users at any point in the application. This piece of information might be important to your application so keep in mind.

JWTs are widely used throughout the internet and are very to set up and use. However they may not be the solution for everyone.

📈 Use JWTs when :

working with a microservice architecture
looking for an easy solution to set up authentication service
want to minimize database queries

📉 Don't use JWTs when:

identifying clients is critical to your application
managing clients in realtime is a necessity
large API payload size is an issue
secret key is likely to be compromised

Considering everything mentioned above, ask whether JWT is really the right solution for your project requirements. And if you do end up using it, make sure to tackle to the basic secuirity concerns.

If you have anything more to add to this article, leave it down in the comments below.

FAQs

Pros and Cons of JWTs (JSON Web Tokens)? ›

JWTs are typically used to represent user sessions and access tokens, and they often have a predefined expiration time. While this is a useful feature, it can be a weakness when it comes to revoking access. Once a JWT is issued, there is no straightforward way to invalidate it before its expiration time.

Read On ›

What are pros and cons in a JWT token? ›

Discover More Details ›

What is the main advantage of using JWT JSON Web tokens for user authentication in a react app that makes API requests? ›

JWT authentication is stateless: A JWT contains all the information regarding the user's identity and authentication, including the claims. This can be more efficient than storing session information on the server as it reduces the amount of data that needs to be stored and retrieved for each request.

Is JWT token secure enough? ›

It's important to note that a JWT guarantees data ownership but not encryption. The reason is that the JWT can be seen by anyone who intercepts the token because it's serialized, not encrypted. It is strongly advised to use JWTs with HTTPS, a practice that extends to general web security.

See Details ›

What is the difference between JWT and JSON Web Token? ›

JSON web token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Again, JWT is a standard, meaning that all JWTs are tokens, but not all tokens are JWTs.

Find Out More ›

What are the disadvantages of JWT tokens? ›

Disadvantages of JWT Authentication:

Limited Token Expiry Control: Once issued, JWTs remain valid until they expire. Revoking a JWT before expiration requires additional complexity, such as token blacklisting. Security Risks: If the secret key used to sign JWTs is compromised, attackers can create forged tokens.

Tell Me More ›

What are the advantages of JWT token? ›

Stateless Authentication: JWTs are self-contained and carry all the necessary information, which eliminates the need for a server-side session store. Scalability: Being stateless, JWTs are easily scalable across multiple servers as there's no need to share session data.

Show Me More ›

Why are JSON Web tokens not safe? ›

The biggest problem with JWT is the token revoke problem. Since it continues to work until it expires, the server has no easy way to revoke it. Below are some use cases that'd make this dangerous.

Explore More ›

Why use JWT instead of basic auth? ›

JWT Advantages

This eliminates the need to query the database or authentication server for that information on every request. JWTs can be verified efficiently and quickly, because they do not require a database lookup. JWTs are only stored on the client side—the server generates a JWT and sends it to the client.

What are two scenarios where JSON Web tokens can be useful? ›

Here are some scenarios where JSON Web Tokens are useful:

Authorization: This is the most common scenario for using JWT. ...
Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties.

Show Me More ›

Why is JWT more secure? ›

Advantages of JWT

Security: JWTs are digitally signed, ensuring data integrity and preventing tampering. Using encryption algorithms enhances the security further. Cross-Domain Communication: JWTs can be used across different domains or microservices since they don't rely on cookies or server-side sessions.

Read The Full Story ›

Are JWT tokens insecure? ›

Some web applications rely on JSON Web Tokens (JWTs) for stateless authentication and access control instead of stateful ones with traditional session cookies. Some implementations are insecure and allow attackers to bypass controls, impersonate users, or retrieve secrets.

See Details ›

Is JWT good for authentication or authorization? ›

JWT authorization is a stateless mechanism for authentication and authorization that eliminates the need for sessions and cookies. It provides a secure means of transmitting information, because a JWT is digitally signed using a secret key known only to the server.

Get More Info Here ›

What is the purpose of JSON web token? ›

A JSON web token(JWT) is JSON Object which is used to securely transfer information over the web(between two parties). It can be used for an authentication system and can also be used for information exchange. The token is mainly composed of header, payload, signature. These three parts are separated by dots(.).

Which is more secure, JWT or OAuth? ›

JWTs are known for better security and reliability that comes from their digitally signed nature. As no explicit signing is allowed or needed, no outside source like a hacker or another client can access them. Using JWT asks for less digital storage space.

Why is JWT better than API key? ›

The credentials can either be a cryptographically secure JSON Web Token (JWT) signed with the client's private key or a secret value generated from your authorization server. A private key JWT is more secure, as you won't risk exposing the secret value that accidentally creates similar access concerns as an API key.

View Details ›

What are the advantages and disadvantages of token based authentication? ›

Pros of Using Tokens

Token-based Authentication is more Scalable and Efficient. As we know that tokens are required to be stored on the user's end, they offer a scalable solution. ...
Flexibility and Performance. ...
Tokens Offer Robust Security. ...
Compromised Secret Key. ...
Data Overhead. ...
Shorter Lifespan.

Why avoid JWT? ›

JWTs which just store a simple session token are inefficient and less flexible than a regular session cookie, and don't gain you any advantage. The JWT specification itself is not trusted by security experts.

Learn More ›

What should be included in JWT token? ›

Figure 1 shows that a JWT consists of three parts: a header, payload, and signature. The header typically consists of two parts: the type of the token, which is JWT, and the algorithm that is used, such as HMAC SHA256 or RSA SHA256. It is Base64Url encoded to form the first part of the JWT.

Discover More Details ›