JWT Validator

JWT Validator implements the JWT standard correctly — which is harder than it sounds. The JWT ecosystem has many common pitfalls that have caused real-world authentication bypasses at major companies.

Security Requirements Enforced

Algorithm Selection - **RS256 (recommended for APIs)** — asymmetric, private key signs, public key verifies. Authorization servers can distribute public key via JWKS without exposing signing capability. - **HS256** — symmetric, suitable only for internal systems where both sides are trusted. Never use for multi-tenant or public-facing APIs. - **Explicitly reject 'alg: none'** — the most common JWT vulnerability, blocked in generated code.

Claim Validation All generated validators check: - `exp` — token not expired (with configurable clock skew tolerance, default 30s) - `nbf` — not before time if present - `iss` — issuer matches expected value (strict string match, not prefix) - `aud` — audience includes your service identifier - `sub` — subject present and non-empty

Key Management

• JWKS Integration:
• For external JWT issuers (Auth0, Cognito, Google), generates key fetching from the `/.well-known/jwks.json` endpoint with:
• Key caching (TTL-based, with force-refresh on unknown `kid`)
• Key rotation support (multiple valid keys in JWKS)

RSA Key Generation: For issuing your own tokens — generates key pair creation code and rotation schedule.

Token Lifecycle

• Access token: 15 minutes, contains user identity and permissions claims
• Refresh token: 7-30 days, stored in database for revocation support
• Refresh rotation: each refresh generates a new refresh token (old invalidated)

Language Implementations

• Node.js with `jose` library (recommended, maintained by Panva)
• Python with `python-jose` or `PyJWT`
• Go with `golang-jwt/jwt`
• Java with `java-jwt` (Auth0)