I am implementing a JWT based authentication system in my REST API, and am looking to use the JWT_ID claim in the token. According to Auth0, JWT ID allows a token to be used once:

jti (JWT ID): Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once)

I am wondering how often should the JWT ID be regenerated?

  • On every request
  • On Login only
  • On token refresh (if refresh token system is used)

NOTE: I am not using Auth0 for my authentication.

2 Answers

cassiomolin On Best Solutions

Keep in mind that the jti claim usage is optional, so you are not required to use it at all. However, it's pretty useful when you are required to keep the track of a token, either in a white or in a blacklist.

I am wondering how often should the JWT ID be regenerated?

I'm not sure what you mean with regenerate.

The value of the jti claim should be assigned when the token is generated. And once the token is signed, there's no way to modify it without invalidating the signature. So, if you assign a new id to the token in each request, you'll have to sign the token again, so you'll end up with a new token for each request.

Here's how the jti claim is defined in the RFC 7519:

4.1.7. jti (JWT ID) Claim

The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that here is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The jti claim can be used to prevent the JWT from being replayed. The jti value is a case-sensitive string. Use of this claim is OPTIONAL.

Bottom line

From what I understand of your use case, it makes sense to issue a new token (with a unique id, such as UUID) when the client authenticates and when the client refreshes the token.

It is worth mentioning that the jti claim on its own does nothing against token replay. However it gives you means to identify the tokens and track them in a white or in a blacklist.

toondaey On

The jwt_id should only be generated upon login and on token refresh. It's best to use the expireIn and maxAge to quantify the duration of the validity of the token instead.