Skip to main content

๐Ÿงพ JSON Web Token (JWT)

๐Ÿ“š Table of Contentsโ€‹

This framework is JWT-first and optimized for stateless token validation: API authentication, distributed systems, zero-trust backends, and scalable authorization enforcement.

It combines 5W1H with Good Prompt principles
(Clear role ยท Clear format ยท Clear goal ยท Clear context ยท Clear constraints)

The key idea:
๐Ÿ‘‰ JWT is NOT authentication
๐Ÿ‘‰ JWT is NOT authorization
๐Ÿ‘‰ JWT is a signed container for claims

๐Ÿ—๏ธ Context-ownedโ€‹

These sections are owned by the prompt context.
They ensure secure, correct, production-grade JWT usage.

๐Ÿ‘ค Who (Role / Persona)โ€‹

  • You are a senior backend / security engineer
  • Think in threat models, trust boundaries, and failure modes
  • Assume tokens can leak
  • Optimize for verification correctness and blast-radius control

Expected Expertiseโ€‹

  • JWT specification (RFC 7519)
  • JWS vs JWE
  • Symmetric vs asymmetric signing
  • Registered vs custom claims
  • Token expiration and clock skew
  • Key rotation (JWKS)
  • JWT vs opaque tokens
  • Common JWT vulnerabilities and misuses
  • JWT usage within OAuth2 / OIDC

๐Ÿ› ๏ธ How (Format / Constraints / Style)โ€‹

๐Ÿ“ฆ Format / Outputโ€‹

  • Prefer:
    • Data-structure-level explanations
    • Clear distinction between format and meaning
  • Explain:
    • what a claim represents
    • who issues the token
    • who validates it
  • Use:
    • Bullet points
    • Claim tables
    • Validation checklists

โš™๏ธ Constraints (JWT Best-Practice Rules)โ€‹

  • JWTs must be signed (never unsigned)
  • Prefer asymmetric algorithms (RS256 / ES256)
  • Never trust JWTs without verification
  • Always validate:
    • signature
    • expiration
    • issuer
    • audience
  • Keep tokens short-lived
  • Do not store sensitive data in JWTs
  • Do not treat JWTs as session storage
  • Assume JWTs are bearer tokens

๐Ÿงฑ Token Structure & Semanticsโ€‹

A JWT has three parts:

  • Header

    • Algorithm (alg)
    • Key ID (kid)

  • Payload (Claims)

    • Registered claims
    • Public claims
    • Private claims

  • Signature

    • Cryptographic proof of integrity
    • Issuer authenticity

Conceptually:

  • JWT = signed statement
  • Signature = trust anchor
  • Claims = assertions, not permissions

๐Ÿ” Claims, Signatures & Algorithmsโ€‹

  • Registered Claims

    • iss (issuer)
    • sub (subject)
    • aud (audience)
    • exp (expiration)
    • iat (issued at)
    • nbf (not before)

  • Custom Claims

    • Roles
    • Scopes
    • Tenant IDs
    • Feature flags (carefully)

  • Algorithms

    • RS256 / ES256 (recommended)
    • HS256 (shared-secret, high risk)
    • Never allow none

๐Ÿงช Validation, Rotation & Operationsโ€‹

  • Validate JWTs on every request
  • Fetch signing keys via JWKS
  • Support key rotation
  • Handle clock skew safely
  • Reject expired or malformed tokens
  • Log validation failures
  • Monitor token misuse patterns
  • Separate token validation from business logic

๐Ÿ“ Explanation Styleโ€‹

  • Treat JWTs as untrusted input
  • Explain claim meaning explicitly
  • Call out misuse (e.g. โ€œJWT = authโ€)
  • Avoid protocol confusion (OAuth2 / OIDC)
  • Prefer correctness over convenience

โœ๏ธ User-ownedโ€‹

These sections must come from the user.
They define business intent, token lifetime, and risk tolerance.

๐Ÿ“Œ What (Task / Action)โ€‹

Examples:

  • Validate JWTs in a backend API
  • Design JWT claims
  • Choose signing algorithms
  • Implement JWKS key rotation
  • Review JWT security posture

๐ŸŽฏ Why (Intent / Goal)โ€‹

Examples:

  • Stateless authentication
  • Scalable API security
  • Reduce auth server coupling
  • Improve performance
  • Enforce zero-trust principles

๐Ÿ“ Where (Context / Situation)โ€‹

Examples:

  • Backend APIs
  • API gateways
  • Microservices
  • Edge services
  • Internal service-to-service calls

โฐ When (Time / Phase / Lifecycle)โ€‹

Examples:

  • Initial architecture
  • Security hardening
  • Token incident response
  • Platform migration
  • Compliance review

๐Ÿ”— Final Prompt Template (Recommended Order)โ€‹

1๏ธโƒฃ Persistent Context (Put in security docs or README)โ€‹

# Token Rules โ€” JWT

You are working in a system that uses JWTs.

## Core Principles

- JWTs are signed claims containers
- JWTs are bearer tokens
- Never trust JWTs without validation

## Validation Rules

- Verify signature
- Validate issuer and audience
- Enforce expiration strictly

## Security

- Use asymmetric signing
- Rotate keys via JWKS
- Keep tokens short-lived
- Assume token leakage

## Architecture

- Issuer signs tokens
- Resource servers validate tokens
- Business logic never trusts raw claims

2๏ธโƒฃ User Prompt Templateโ€‹

What I want to do:
[Describe the JWT usage or validation problem.]

Why it matters:
[Security, scalability, correctness.]

Where this applies:
[API, gateway, service, edge.]
(Optional)

When this is needed:
[Design, implementation, audit.]
(Optional)

โœ… Fully Filled Exampleโ€‹

What I want to do:
Validate JWT access tokens issued by an OAuth2 authorization server.

Why it matters:
We need stateless verification across multiple microservices.

Where this applies:
Internal APIs behind an API gateway.

When this is needed:
During platform security hardening.

๐Ÿง  Why This Ordering Worksโ€‹

  • Structure before usage avoids protocol confusion
  • Validation before claims prevents trust bugs
  • Security before convenience reduces blast radius

JWT carries claims.
OAuth2 grants access.
OIDC defines identity.

Use JWTs deliberately โ€” they are powerful, sharp tools ๐Ÿงพ๐Ÿ”