What is jti in jwt
Last updated: April 1, 2026
Key Facts
- JTI stands for 'JWT ID' and is an optional but recommended claim in JWT specifications
- JTI must be unique for each token issued by the same issuer to prevent token reuse
- JTI is commonly used to implement token blacklisting and revocation mechanisms
- The JTI claim value is a case-sensitive string unique per token instance
- JTI helps protect against token replay attacks by ensuring individual token tracking
Understanding JTI in JWT
JTI, or JWT ID, is a registered claim within JSON Web Tokens that serves as a unique identifier for individual tokens. While optional according to the JWT specification (RFC 7519), JTI is considered a best practice in modern authentication systems. Each token issued by an authentication server should have a distinct JTI value that can be used to track, validate, and revoke specific token instances.
JWT Structure and Claims
A JWT consists of three parts separated by dots: header.payload.signature. The payload contains claims, which are statements about the token and its subject. Standard registered claims include:
- iss (issuer) - who created the token
- sub (subject) - who the token is about
- aud (audience) - who the token is intended for
- exp (expiration) - when the token expires
- iat (issued at) - when the token was created
- jti (JWT ID) - unique token identifier
Role of JTI in Token Management
The primary purpose of JTI is to enable token tracking and revocation. By assigning a unique identifier to each token, systems can maintain a blacklist or revocation list of tokens that should no longer be accepted. When a user logs out or their session is terminated, the token's JTI can be added to a blacklist, invalidating that specific token without affecting other valid tokens issued to the same user.
Security Benefits
JTI provides critical security advantages. It prevents token replay attacks where an attacker captures and reuses a legitimate token. With JTI tracking, each token is uniquely identifiable, and the system can detect and reject replayed tokens. JTI also enables fine-grained token management, allowing systems to revoke specific tokens while keeping others valid, and helps detect suspicious patterns like multiple simultaneous tokens from the same user.
Implementation Considerations
When implementing JTI, systems typically generate unique identifiers using UUIDs, random strings, or sequential IDs. The JTI value should be sufficiently random and unique to prevent collision. Applications must store and check JTI values against a blacklist or revocation database on each request, requiring additional infrastructure but providing robust security for sensitive applications.
Related Questions
What is a JSON Web Token (JWT)?
JWT is a compact token format for securely transmitting claims between parties. It consists of a header, payload with claims, and cryptographic signature, typically used for stateless authentication and information exchange.
How does token blacklisting work with JTI?
When a token is revoked, its JTI value is stored in a blacklist database. Upon each request, the system checks if the token's JTI is in the blacklist and rejects it if found, effectively invalidating that specific token instance.
What is the difference between JTI and other JWT claims?
Unlike claims like 'exp' (expiration) that define token properties, JTI is a unique identifier that tracks individual tokens. This distinction allows JTI to enable token-specific operations like blacklisting without affecting other tokens.
More What Is in Daily Life
Also in Daily Life
More "What Is" Questions
Trending on WhatAnswers
Browse by Topic
Browse by Question Type
Sources
- Wikipedia - JSON Web TokenCC-BY-SA-4.0
- RFC 7519 - JSON Web Token (JWT)Public Domain