What are common JWT mistakes?
Storing in LocalStorage, no expiry, sensitive data in payload, jwt.decode instead of verify, weak secret, no expired token handling, no revocation on logout, same secret across envs, no algorithm verification, and big payloads.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Common JWT Mistakes (and How to Avoid Them)
LocalStorage is open to XSS. Any script (including injected ones) can read it and send the token to an attacker. Use an httpOnly, secure, sameSite cookie. Scripts cannot read it.
jwt.decode just reads the payload without checking the signature. An attacker can forge a token with any payload. jwt.verify checks the signature and expiry, so forged tokens are rejected.
Only non-sensitive claims: userId and role. The payload is base64-encoded, not encrypted. Anyone with the token can read it. Never put passwords, secrets, or PII in the payload.
Still have questions?
Browse all our FAQs or reach out to our support team
