JWT structure: three base64url segments separated by dots: a header (algorithm/type), a payload (claims), and a signature verifying integrity.
2 / 5
What does the exp claim represent?
exp: a registered claim holding a NumericDate after which the token must be rejected. Related claims include iat (issued at) and nbf (not before).
3 / 5
Why is a JWT payload considered readable but tamper-evident?
Encoded, not encrypted: the payload is merely base64url-encoded so anyone can read it. The signature ensures any modification is detected, but you must never put secrets in a standard signed JWT.
4 / 5
What is the danger of accepting the alg: none header?
alg none attack: if a verifier honors none, an attacker can strip the signature and forge claims. Libraries must enforce an allowlist of expected algorithms.
5 / 5
Why is a short JWT lifetime often paired with a refresh token?
Stateless revocation gap: a self-contained JWT stays valid until it expires, so short lifetimes limit the damage of a leak. A longer-lived, revocable refresh token obtains new access tokens.