Facebook Pixel

What should I put in the JWT payload?

Only non-sensitive claims: userId and role. The payload is base64-encoded, not encrypted. Anyone with the token can read it. Never put passwords, secrets, or PII in the payload.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Common JWT Mistakes (and How to Avoid Them)

Storing in LocalStorage, no expiry, sensitive data in payload, jwt.decode instead of verify, weak secret, no expired token handling, no revocation on logout, same secret across envs, no algorithm verification, and big payloads.

LocalStorage is open to XSS. Any script (including injected ones) can read it and send the token to an attacker. Use an httpOnly, secure, sameSite cookie. Scripts cannot read it.

jwt.decode just reads the payload without checking the signature. An attacker can forge a token with any payload. jwt.verify checks the signature and expiry, so forged tokens are rejected.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.