Learn the vocabulary of a self-contained, signed token verified without a session-store lookup.
0 / 5 completed
1 / 5
At standup, a dev mentions a compact, self-contained token that carries its own signed claims, so a server can verify it without a database lookup on every request. What is this token format called?
A JSON Web Token, or JWT, is a compact, self-contained token carrying its own signed claims, such as a user ID and an expiry, so a server can verify its signature and trust its contents without a database lookup on every single request. A server-side session ID instead requires a lookup against a session store to find out who the client actually is. This self-contained, verifiable-standalone property is what makes a JWT attractive for a stateless API that wants to avoid a session-store round trip on every call.
2 / 5
During a design review, the team gives an access-token JWT a short expiry, paired with a separate longer-lived refresh token used to obtain a new access token once the short one expires. Which capability does this pattern support?
This pattern supports limiting how long a stolen access token remains useful, while still avoiding forcing the user to log in again frequently, since a short-lived access token minimizes the damage if it's stolen, while the separate refresh token lets the client silently obtain a new access token without the user re-entering credentials. Issuing an access token with no expiry at all would make a stolen token useful indefinitely, defeating the whole point of pairing it with a refresh token. This short-access, longer-refresh pairing is a standard pattern for balancing security against user experience.
3 / 5
In a code review, a dev notices the server's JWT verification code accepts a token whose header specifies an algorithm of 'none', skipping signature verification entirely for that token. What does this represent?
This is a critical JWT verification vulnerability letting an attacker forge an unsigned token by simply setting the algorithm header to 'none', since a server that honors that header skips signature verification entirely and will trust whatever claims the attacker wrote into the token. A refresh token is an unrelated, legitimate concept. This specific flaw is well documented precisely because a JWT library's flexibility in choosing its own verification algorithm at runtime, driven by the token itself, can be turned against the server if it isn't locked down to an expected algorithm.
4 / 5
An incident report shows an attacker forged an admin-level JWT and gained unauthorized access, because the server's verification code trusted the algorithm specified in the token's own header instead of enforcing one expected signing algorithm. What practice would prevent this?
Hardcoding the expected signing algorithm on the server side, and rejecting any token that specifies a different one, closes off exactly the attack where a forged token claims an algorithm of 'none' to bypass signature verification. Continuing to trust whatever algorithm the token's own header specifies is exactly what let the attacker forge an admin-level token in this incident. This algorithm-pinning is a well-known, mandatory hardening step for any JWT verification implementation.
5 / 5
During a PR review, a teammate asks why the team issues a short-lived JWT paired with a refresh token instead of a long-lived opaque session token that never needs refreshing. What is the reasoning?
A long-lived opaque token remains dangerous for its entire lifetime if it's ever stolen, since there's no natural expiry limiting an attacker's window of use. A short-lived JWT limits that exposure window sharply, and the paired refresh token lets the client silently obtain a fresh access token without forcing the user through a login flow again. The tradeoff is the added complexity of implementing and securing the refresh flow itself, which becomes a new, valuable target that also needs careful protection.