JWT (JSON Web Token) 已註冊聲明、OpenID Connect 聲明、自訂聲明、驗證規則和安全最佳實踐的完整參考。
| 聲明 | 描述 |
|---|---|
iss | Identifies the principal that issued the JWT. Typically the auth server URL. |
sub | Identifies the principal that is the subject of the JWT — usually the user ID. |
aud | Identifies the recipients that the JWT is intended for. The API must check this. |
exp | The time after which the JWT MUST NOT be accepted. Critical for security. |
nbf | The time before which the JWT MUST NOT be accepted. Useful for deferred activation. |
iat | The time at which the JWT was issued. Used to determine the age of the token. |
jti | Unique identifier for the JWT. Prevents token replay attacks when combined with a blocklist. |
| 聲明 | 描述 |
|---|---|
name | End-user's full name in displayable form. |
given_name | Given name(s) or first name of the end-user. |
family_name | Surname(s) or last name of the end-user. |
email | End-user's preferred email address. |
email_verified | True if the end-user's email has been verified by the Provider. |
picture | URL of the end-user's profile picture. |
locale | End-user's locale as a BCP 47 language tag. |
zoneinfo | End-user's time zone from the IANA Time Zone Database. |
updated_at | Time the end-user's information was last updated. |
nonce | String value used to associate a Client session with an ID Token and to mitigate replay attacks. |
at_hash | Hash of the Access Token value. Used to validate the access_token. |
auth_time | Time when the end-user was authenticated. |
| 聲明 | 描述 |
|---|---|
scope | OAuth 2.0 scopes granted to the token. Defines what resources the token can access. |
roles | Non-standard but widely used. Application roles assigned to the user. |
permissions | Fine-grained permissions. Used by Auth0, AWS Cognito, and others. |
azp | The client_id of the OAuth 2.0 Client that requested the token. Used with OIDC. |
acr | Level of authentication that occurred. Values defined by the deployment. |
amr | How the user was authenticated (password, OTP, biometric, etc.). |
| 聲明 | 描述 |
|---|---|
tenant_id | Multi-tenant app custom claim. Identifies the tenant/organization. |
org_id | Organization identifier used by Auth0, WorkOS, and similar platforms. |
plan | User's subscription tier. Common in SaaS billing-based access control. |
| 聲明 | 描述 |
|---|---|
Verify exp | Reject any token where exp < current time (in UTC seconds). Add small clock skew (30–60s). |
Verify iss | Must exactly match the expected issuer URL. Reject mismatches. |
Verify aud | Must contain your API's identifier. Reject tokens issued for other audiences. |
Verify signature | NEVER trust a JWT without verifying its cryptographic signature using the correct key/JWKS. |
Check nbf | If nbf is present, reject tokens used before this time. |
Check alg | Explicitly specify expected algorithm. Reject 'none' algorithm. Prefer RS256 or ES256 over HS256 for public APIs. |
| 聲明 | 描述 |
|---|---|
HS256 | Fast; uses a single shared secret for sign & verify. Only suitable when both parties are trusted (e.g., server-to-server). |
HS512 | Like HS256 but with 512-bit hash output. Marginally stronger for symmetric use cases. |
RS256 | Most widely supported asymmetric algorithm. Sign with private key, verify with public key. Use this for public APIs and OIDC. |
RS512 | RS256 with SHA-512. Stronger hash but same RSA security level. Marginally slower. |
ES256 | Compact, fast asymmetric algorithm. Smaller keys than RSA for equivalent security. Recommended for new systems. |
PS256 | More secure padding than RS256 (probabilistic). Required by FAPI (Financial-grade API) and advanced OIDC profiles. |
EdDSA | Modern elliptic curve algorithm. Fastest, smallest signatures. Use with jose library. Not universally supported yet. |
JWT 由三個以點分隔的 Base64URL 編碼部分組成: 標頭.有效載荷.簽名
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzdWIiOiJ1c2VyXzEyMyIsImF1ZCI6Imh0dHBzOi8vYXBpLmV4YW1wbGUuY29tIiwiZXhwIjoxNzM1Njg5NjAwLCJpYXQiOjE3MzU2MDMyMDAsInNjb3BlIjoicmVhZDp1c2VycyJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
alg: RS256演算法和令牌類型
typ: JWT聲明 — 數據
iss: https://auth.example.com加密驗證
sub: user_123aud: myappexp: 1735689600iat: 1735686000試試我們的 JWT 編碼器/解碼器 進行 JWT 令牌的編碼/解碼
exp(過期時間)是令牌過期的時間,在此時間之後不得接受。nbf(不早於)是令牌生效的時間,在此時間之前不得接受。iat(簽發時間)記錄令牌簽發的時間,用於確定令牌使用年限。三者均使用 NumericDate 格式(自 Unix 紀元以來的秒數)。
存取令牌應該是短期的:大多數應用程式為 5-60 分鐘,API 為 1-24 小時。重新整理令牌可以更長:數天到數週。較短的過期時間可以限制令牌被盜的損失。永遠不要在 JWT 負載中儲存敏感資料,因為它們是 base64url 編碼(非加密)的,任何人都可以解碼。
sub(主體)識別 JWT 所代表的主體(通常是使用者 ID)。在簽發者的上下文中應該是唯一的。使用穩定的、不可重新分配的識別碼(如 UUID 或數字 ID),而不是可能更改的使用者名稱或電子郵件。
是的,對於無狀態授權。在自訂聲明中包含角色/權限(例如,'roles': ['admin', 'user'])。但是,保持令牌輕量級 — 不要包含所有內容。對於細粒度權限,考慮引用令牌模式,其中 JWT 包含會話 ID,您在伺服器端查找權限。