jwt

JSON Web Tokens for secure transmission. Use for authentication.

7 stars

byG1Joshi

View on GitHub Installation ↓

Best use case

jwt is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

JSON Web Tokens for secure transmission. Use for authentication.

Teams using jwt should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/jwt/SKILL.md --create-dirs "https://raw.githubusercontent.com/G1Joshi/Agent-Skills/main/skills/security/jwt/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/jwt/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How jwt Compares

Feature / Agent	jwt	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

JSON Web Tokens for secure transmission. Use for authentication.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# JSON Web Token (JWT)

JWT is a compact, URL-safe means of representing claims to be transferred between two parties. The claims are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) or JSON Web Encryption (JWE).

## When to Use

- **Stateless Authentication**: API doesn't need to check a database session for every request.
- **Information Exchange**: Securely transmitting information (like User ID + Roles) between microservices.

## Quick Start (Structure)

`Header.Payload.Signature`

```json
// Header
{
  "alg": "RS256",
  "typ": "JWT"
}

// Payload (Claims)
{
  "sub": "1234567890", // Subject (User ID)
  "name": "John Doe",
  "iat": 1516239022,    // Issued At
  "exp": 1516242622,    // Expiration
  "role": "admin"
}

// Signature
HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)
```

## Core Concepts

### Signing Algorithms

- **HS256** (HMAC): Shared secret. Fast, simple. Good for internal microservices.
- **RS256 / ES256** (RSA/ECDSA): Public/Private key pair. The ID Provider signs with Private; APIs verify with Public. **Preferred for 2025**.

### Claims

- **Registered**: `iss` (issuer), `exp` (expiration), `sub` (subject), `aud` (audience).
- **Public/Private**: Custom data (`role`, `tenant_id`).

## Best Practices (2025)

**Do**:

- **Short Expiration**: 5-15 minutes max. Use Refresh Tokens for long-lived sessions.
- **Algorithm Verification**: Hardcode the expected algorithm (e.g., `algorithms=['RS256']`) in your verifier to prevent `None` alg attacks.
- **Use RS256/ES256**: Avoid sharing secrets if possible.

**Don't**:

- **No PII**: Don't put GDPR/PII data (email, address) in the JWT unless encrypted (JWE). It can be decoded by anyone.
- **No Sensitive Data**: Don't put "password" or "credit card" in claims.
- **Don't store in LocalStorage**: Susceptible to XSS. Use **HttpOnly / Secure Cookies**.

## Troubleshooting

| Error               | Cause                            | Solution                                     |
| :------------------ | :------------------------------- | :------------------------------------------- |
| `TokenExpiredError` | `exp` time passed.               | Refresh the token using a Refresh Token.     |
| `JsonWebTokenError` | Malformed or Signature mismatch. | Check secret/public key and token integrity. |

## References

- [jwt.io](https://jwt.io/)
- [RFC 7519](https://tools.ietf.org/html/rfc7519)