Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JWT jti uniqueness

Tags:

jwt

I'm having some trouble understanding how I'm supposed to use the jti claim in JWT. As far as I can see in other SO questions and from docs online, the idea is they should be unique, but unique to what scope? A jti per site/app? A jti per token/user? And if I have a jti specific to the user, doesn't that sort of undo the point of a JWT being stateless, as I'd need to somehow track the token?

I'd love to get some help understanding how to use the jti, or if maybe I don't need it at all.

like image 747
Rohit Avatar asked Sep 06 '25 03:09

Rohit


1 Answers

jti should be unique in the scope of the application in order to prevent two equal JWT.

See RFC 7519

4.1.7. "jti" (JWT ID) Claim

The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case- sensitive string. Use of this claim is OPTIONAL.

It could be useful if you need a blacklist to revoke tokens and to ensure the same same JWT is not issued twice (when contains the same content without timestamp claims)

like image 163
pedrofb Avatar answered Sep 07 '25 23:09

pedrofb



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!