Portswigger Academy JWT Labs
Portswigger Academy JWT Labs



JSON web tokens (JWTs) are a standardised format for sending cryptographically signed JSON data between systems. They can theoretically contain any kind of data, but are most commonly used to send information (“claims”) about users as part of authentication, session handling, and access control mechanisms.

JWTs are a popular choice for highly distributed websites where users need to interact seamlessly with multiple back-end servers.


Design issues and flawed handling of JSON web tokens (JWTs) can leave websites vulnerable to a variety of high-severity attacks. As JWTs are most commonly used in authentication, session management, and access control mechanisms, these vulnerabilities can potentially compromise the entire website and its users.