Skip to main content

12. Privacy Considerations

JWTs may contain privacy-sensitive information about individuals. When this is the case, measures must be taken to prevent disclosure of this information to unauthorized parties. One approach is to use encrypted JWTs and authenticate the JWT with encryption. JWT creators should be careful not to include any personally identifiable information (PII) or other sensitive information in a JWT unless appropriate protections are taken such that this information will not be disclosed to unauthorized parties.

Note that even when a JWT is encrypted, the claim names in the JWT Claims Set are still visible (they are only base64url-encoded). Therefore, sensitive claim names themselves should not reveal privacy-sensitive information.

In many application scenarios, JWTs are stored temporarily (for example, transmitted as part of an HTTP request). However, in scenarios where JWTs are persisted (for example, in cookies or databases), privacy risks associated with long-term storage of sensitive information should be considered.

Last updated on