[{"data":1,"prerenderedAt":422},["ShallowReactive",2],{"blog-prompts/secure-jwt-implementation":3},{"id":4,"title":5,"body":6,"category":401,"date":402,"dateModified":403,"description":404,"draft":405,"extension":406,"faq":407,"featured":405,"headerVariant":408,"image":407,"keywords":407,"meta":409,"navigation":410,"ogDescription":411,"ogTitle":407,"path":412,"readTime":407,"schemaOrg":413,"schemaType":414,"seo":415,"sitemap":416,"stem":417,"tags":418,"twitterCard":420,"__hash__":421},"blog/blog/prompts/secure-jwt-implementation.md","Secure JWT Implementation with AI Prompts",{"type":7,"value":8,"toc":391},"minimark",[9,16,21,24,101,105,108,174,184,188,191,251,255,258,312,321,337,341,344,365,379],[10,11,12],"tldr",{},[13,14,15],"p",{},"JWTs are easy to implement wrong. Use RS256 or ES256 (not HS256 with weak secrets), validate all claims, set short expiration times, and implement proper refresh token rotation. These prompts help you avoid the common JWT security pitfalls.",[17,18,20],"h2",{"id":19},"secure-token-generation","Secure Token Generation",[13,22,23],{},"Use this prompt to generate a complete JWT creation module with asymmetric signing. Your AI will produce functions for access and refresh token generation, key pair setup, and a key rotation strategy.",[25,26,28,31,38,41,57,60,84,87],"prompt-box",{"title":27},"Generate Secure JWTs",[13,29,30],{},"Create secure JWT generation for my authentication system.",[13,32,33,34],{},"Language: ",[35,36,37],"span",{},"TypeScript/JavaScript/Python",[13,39,40],{},"Requirements:",[42,43,44,48,51,54],"ol",{},[45,46,47],"li",{},"Use RS256 or ES256 algorithm (asymmetric)",[45,49,50],{},"Short expiration time (15 minutes for access token)",[45,52,53],{},"Include required claims: iss, sub, aud, exp, iat, jti",[45,55,56],{},"Minimal payload (don't store sensitive data)",[13,58,59],{},"Token payload should include:",[61,62,63,66,69,72,75,78,81],"ul",{},[45,64,65],{},"sub: user ID",[45,67,68],{},"iss: your domain",[45,70,71],{},"aud: intended audience",[45,73,74],{},"exp: expiration timestamp",[45,76,77],{},"iat: issued at timestamp",[45,79,80],{},"jti: unique token ID (for revocation)",[45,82,83],{},"role: user role (if needed)",[13,85,86],{},"Create:",[61,88,89,92,95,98],{},[45,90,91],{},"generateAccessToken(userId, role)",[45,93,94],{},"generateRefreshToken(userId)",[45,96,97],{},"Key pair generation script",[45,99,100],{},"Key rotation strategy",[17,102,104],{"id":103},"secure-token-validation","Secure Token Validation",[13,106,107],{},"Copy this prompt to build JWT validation that blocks algorithm confusion attacks. You'll get code that verifies signatures, checks all standard claims, and returns typed error responses for each failure case.",[25,109,111,114,117,140,143,160,163],{"title":110},"Validate JWTs Properly",[13,112,113],{},"Implement secure JWT validation that prevents common attacks.",[13,115,116],{},"Validation must:",[42,118,119,122,125,128,131,134,137],{},[45,120,121],{},"Explicitly specify allowed algorithms (prevent algorithm confusion)",[45,123,124],{},"Verify signature with correct key",[45,126,127],{},"Check exp claim (reject expired tokens)",[45,129,130],{},"Check iat claim (reject future-dated tokens)",[45,132,133],{},"Verify iss matches expected issuer",[45,135,136],{},"Verify aud matches expected audience",[45,138,139],{},"Check jti against revocation list (if implementing revocation)",[13,141,142],{},"Reject tokens that:",[61,144,145,148,151,154,157],{},[45,146,147],{},"Use 'none' algorithm",[45,149,150],{},"Use unexpected algorithm",[45,152,153],{},"Have missing required claims",[45,155,156],{},"Are expired or not yet valid",[45,158,159],{},"Don't match expected issuer/audience",[13,161,162],{},"Return clear error types:",[61,164,165,168,171],{},[45,166,167],{},"TokenExpiredError",[45,169,170],{},"InvalidSignatureError",[45,172,173],{},"InvalidClaimsError",[175,176,177],"warning-box",{},[13,178,179,183],{},[180,181,182],"strong",{},"Never trust the algorithm from the token header:"," Always specify which algorithms you accept. Attackers can change the algorithm to 'none' or switch from RS256 to HS256 using your public key as the secret.",[17,185,187],{"id":186},"refresh-token-rotation","Refresh Token Rotation",[13,189,190],{},"This prompt asks your AI to implement secure refresh token rotation with theft detection. You'll get database-backed token families, single-use enforcement, and automatic revocation when reuse is detected.",[25,192,194,197,200,217,220,237,240],{"title":193},"Implement Token Refresh",[13,195,196],{},"Implement secure refresh token rotation.",[13,198,199],{},"Flow:",[42,201,202,205,208,211,214],{},[45,203,204],{},"On login, issue access token (15 min) + refresh token (7 days)",[45,206,207],{},"Store refresh token hash in database with user ID",[45,209,210],{},"When access token expires, client sends refresh token",[45,212,213],{},"Validate refresh token, issue new access + new refresh token",[45,215,216],{},"Invalidate old refresh token (rotation)",[13,218,219],{},"Security measures:",[61,221,222,225,228,231,234],{},[45,223,224],{},"Refresh tokens are single-use (rotate on each use)",[45,226,227],{},"Detect token reuse (indicates theft)",[45,229,230],{},"Store refresh token family for revocation",[45,232,233],{},"If reuse detected, invalidate entire family",[45,235,236],{},"Bind refresh token to device/fingerprint",[13,238,239],{},"Implement:",[61,241,242,245,248],{},[45,243,244],{},"refreshTokens(refreshToken) -> { accessToken, refreshToken }",[45,246,247],{},"revokeRefreshToken(tokenId)",[45,249,250],{},"revokeAllUserTokens(userId)",[17,252,254],{"id":253},"token-revocation","Token Revocation",[13,256,257],{},"Use this prompt to add revocation capability to your JWT system. Your AI will generate a hybrid approach combining short-lived access tokens, database-backed refresh tokens, and an optional Redis blacklist for immediate invalidation.",[25,259,261,264,267,270,281,284,298,301],{"title":260},"JWT Revocation Strategy",[13,262,263],{},"Add revocation capability to my JWT system.",[13,265,266],{},"Challenge: JWTs are stateless, but we need to revoke them.",[13,268,269],{},"Options:",[42,271,272,275,278],{},[45,273,274],{},"Short expiration + refresh tokens (recommended)",[45,276,277],{},"Token blacklist in Redis",[45,279,280],{},"Version number in user record",[13,282,283],{},"Implement hybrid approach:",[61,285,286,289,292,295],{},[45,287,288],{},"Access tokens: 15 min, no revocation check (short-lived)",[45,290,291],{},"Refresh tokens: stored in DB, can be revoked",[45,293,294],{},"On logout: delete refresh token",[45,296,297],{},"On password change: invalidate all refresh tokens",[13,299,300],{},"For immediate revocation needs:",[61,302,303,306,309],{},[45,304,305],{},"Store jti in Redis with TTL matching token expiration",[45,307,308],{},"Check blacklist only for sensitive operations",[45,310,311],{},"Background cleanup of expired entries",[313,314,315],"tip-box",{},[13,316,317,320],{},[180,318,319],{},"Pro tip:"," Consider using a library like jose (JavaScript) or PyJWT (Python) with careful configuration. Don't implement JWT signing/verification yourself.",[322,323,324,331],"faq-section",{},[325,326,328],"faq-item",{"question":327},"HS256 or RS256?",[13,329,330],{},"RS256 (asymmetric) is generally more secure because the public key can be shared without compromising signing ability. HS256 requires sharing the secret with anyone who needs to verify tokens, increasing risk.",[325,332,334],{"question":333},"Where should I store JWTs on the client?",[13,335,336],{},"Memory is safest (cleared on page refresh). HttpOnly cookies work for web apps. localStorage is convenient but vulnerable to XSS. Never store in sessionStorage or plain cookies.",[17,338,340],{"id":339},"further-reading","Further Reading",[13,342,343],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[61,345,346,353,359],{},[45,347,348],{},[349,350,352],"a",{"href":351},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[45,354,355],{},[349,356,358],{"href":357},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[45,360,361],{},[349,362,364],{"href":363},"/blog/best-practices/secrets","Secret management best practices",[366,367,368,374],"related-articles",{},[369,370],"related-card",{"description":371,"href":372,"title":373},"Alternative to JWTs","/blog/prompts/add-session-security","Add Session Security",[369,375],{"description":376,"href":377,"title":378},"Common JWT attacks","/blog/prompts/fix-auth-bypass","Fix Auth Bypass",[380,381,384,388],"cta-box",{"href":382,"label":383},"/","Start Free Scan",[17,385,387],{"id":386},"check-your-jwt-security","Check Your JWT Security",[13,389,390],{},"Scan your JWT implementation for common vulnerabilities.",{"title":392,"searchDepth":393,"depth":393,"links":394},"",2,[395,396,397,398,399,400],{"id":19,"depth":393,"text":20},{"id":103,"depth":393,"text":104},{"id":186,"depth":393,"text":187},{"id":253,"depth":393,"text":254},{"id":339,"depth":393,"text":340},{"id":386,"depth":393,"text":387},"prompts","2026-02-26","2026-03-06","AI prompts to implement JWT authentication securely. Proper signing, validation, refresh tokens, and protection against common JWT attacks.",false,"md",null,"cyan",{},true,"AI prompts to implement JWT authentication the secure way.","/blog/prompts/secure-jwt-implementation","[object Object]","BlogPosting",{"title":5,"description":404},{"loc":412},"blog/prompts/secure-jwt-implementation",[419],"Authentication","summary_large_image","C4tiMdIxUW9nQvAUnQDnOlyMBsaT4fDYelmuOK-pgFc",1775843938030]