Managing the lifecycle and validation of JWTs is crucial for maintaining security and a seamless user experience. This guide outlines common refresh token patterns, token validation techniques, and security recommendations.

JWT Validation

Section titled JWT Validation

When a JWT is received by your server, you should:

1. Verify the Signature

   • Confirm the JWT signature is valid using the appropriate public key or secret.
   • Reject tokens with invalid or missing signatures.

2. Validate Standard Claims

   • iss: Check if the issuer is trusted.
   • aud: Ensure the token was issued for your application.
   • exp: Confirm the token hasn’t expired.
   • nbf (if present): Ensure the token is currently valid.
   • iat (optional): Validate issued-at time if relevant to your application.

3. Check Revocation (if applicable)

   • Maintain a token blacklist or a token identifier (jti) revocation list.
   • Reject tokens that have been explicitly revoked.

Caution

Always reject expired or invalid tokens — never attempt to manually extend their lifetime.