JWT jti uniqueness

Question

I'm having some trouble understanding how I'm supposed to use the jti claim in JWT. As far as I can see in other SO questions and from docs online, the idea is they should be unique, but unique to what scope? A jti per site/app? A jti per token/user? And if I have a jti specific to the user, doesn't that sort of undo the point of a JWT being stateless, as I'd need to somehow track the token?

I'd love to get some help understanding how to use the jti, or if maybe I don't need it at all.

Answer 1

jti should be unique in the scope of the application in order to prevent two equal JWT.

See RFC 7519

4.1.7. "jti" (JWT ID) Claim

The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case- sensitive string. Use of this claim is OPTIONAL.

It could be useful if you need a blacklist to revoke tokens and to ensure the same same JWT is not issued twice (when contains the same content without timestamp claims)