Skip to content

Token Security

Deep dive into JWT token security.

Token Structure

header.payload.signature

{
  "alg": "EdDSA",
  "typ": "JWT",
  "kid": "key_abc123"
}

Payload

{
  "sub": "user:abc123",
  "iss": "http://localhost:8000",
  "aud": "your-app",
  "exp": 1730000000,
  "iat": 1729996400,
  "roles": ["editor"],
  "scopes": ["read:posts", "write:posts"]
}

Signature

USSO signs tokens with EdDSA (Ed25519) by default.

Verification

1. Verify Signature

from usso import USSOAuth

auth = USSOAuth(config)
user = auth.verify_token(token)

2. Check Expiration

if token.exp < time.time():
    raise TokenExpired()

3. Validate Audience

if token.aud != expected_audience:
    raise InvalidAudience()

4. Validate Issuer

if token.iss != expected_issuer:
    raise InvalidIssuer()

Common Attacks

Token Theft

Prevention: - Use HTTPS - HTTP-only cookies - Short token lifetime

Token Replay

Prevention: - Token expiration - One-time tokens for sensitive actions - JTI (JWT ID) for revocation

XSS Attacks

Prevention: - HTTP-only cookies - Content Security Policy - Input sanitization

CSRF Attacks

Prevention: - SameSite cookies - CSRF tokens - Validate Origin header