JWT playbook

JWT examples for every authentication flow

Use these sample tokens to learn how claims differ across web apps, partner APIs, and mobile refresh flows. Each example includes context, security considerations, and direct links to decode with JWTSecrets.

Consumer web sessions

Short-lived bearer tokens for SPAs and native apps. Focus on tight expirations and clear audience scoping.

HS256 login token

B2C

Baseline example with a 15 minute lifetime and email scope.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhcHAuZXhhbXBsZSIsImF1ZCI6ImFwcC5mcm9udCIsInN1YiI6InVzZXJfNTUiLCJleHAiOjE3MDAwMDAwMDAsImlhdCI6MTcwMDAwMDAwMCwic2NvcGUiOlsiZW1haWwiXX0.c2lnbmVkX2RlbW9fYWJjMTIz
Open in decoder
  • ✓ Rotates every 15 minutes.
  • ✓ Scoped to email actions only.

PKCE access token

B2C

Issued by OAuth provider using RS256 and kid for JWK lookup.

eyJhbGciOiJSUzI1NiIsImtpZCI6ImtnXzEyMzQifQ.eyJpc3MiOiJsb2dpbi5pZHAiLCJzdWIiOiJ1c2VyXzk5IiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDA5MDAsImF1ZCI6ImFwcC5kYXNoYm9hcmQiLCJzaWQiOiJhdXRoXzEyMyIsImF6cCI6ImNsaWVudF8xMjMifQ.c2lnbmVkX3JzYV9kZW1v
Open in decoder
  • ✓ Uses asymmetric signing.
  • ✓ Includes session ID for revocation.

Partner and service tokens

Machine-to-machine JWTs rely on strict ud values and short expirations. Ensure partner clients cannot escalate privileges.

Client credentials token

B2B

Contains client_id, scope, and tight 5 minute expiration.

eyJhbGciOiJSUzI1NiIsImtpZCI6IjEyMzQifQ.eyJpc3MiOiJodHRwczovL2FwaS5hcHAtc2VjdXJlLmNvbSIsImF1ZCI6Imh0dHBzOi8vYXBpLm15c2VydmljZS5jb20iLCJjbGllbnRfaWQiOiJzYW5kYm94LXBhcnRuZXIiLCJzY29wZSI6WyJyZWFkOnVzZXJzIiwiY3JlYXRlOnRva2VucyJdLCJpYXQiOjE3MDAwMDAwMDAsImV4cCI6MTcwMDAwMDMwMH0ucmFzX3NpZ25hdHVyZV9kZW1v
Open in decoder
  • ✓ ud locks to partner API.
  • ✓ Uses JWKS via kid.

Signed webhook token

Automation

Example JWT used to authorize webhook deliveries with replay protection via `nbf` and `jti`.

eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ3ZWJob29rLXNlcnZpY2UiLCJhdWQiOiJjbHVzdGVyLWFwaSIsImp0aSI6IjEyMzQ1NiIsIm5iZiI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDAwMDYwfQ5jaGVja19zaWduYXR1cmUi
Open in decoder
  • ✓ Includes replay guard via jti.
  • ✓ Narrow audience per cluster.

Red team tokens to avoid

These samples illustrate what NOT to ship. Use them to confirm your decoders and gateways are rejecting insecure patterns.

alg: none token

Danger

If your API accepts this token, attackers can forge sessions.

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc3MiOiJldmlsLWlzc3VlciIsInN1YiI6ImF0dGFja2VyIiwicm9sZSI6ImFkbWluIn0.
  • ✗ No signature segment.
  • ✗ Allows privilege escalation.

Long-lived mobile token

Risk

Expires in 30 days, ideal for demonstrating why refresh rotation matters.

eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJtb2JpbGUuYXBwIiwiYXVkIjoibW9iaWxlLWFwaSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAzODQwMDAwLCJyb2xlIjoiYXBwIn0ubG9uZ19zaWduYXR1cmVfdGVzdA
  • ✗ Lifetime measured in weeks.
  • ✗ No jti for revocation.

How to use these samples

  1. Load into the decoder. Paste the token and review the automated score to understand risk signals.
  2. Share within your team. Create red-team drills using the dangerous tokens to confirm controls are enforced.
  3. Upgrade for verification. JWTSecrets Enterprise can block insecure tokens before they reach your APIs.
Talk to security engineers Audit your JWT library