Home

jti

jti, short for JWT ID, is a registered claim in the JSON Web Token (JWT) specification (RFC 7519). It represents a unique identifier assigned to a specific token. The claim is optional but widely used to support replay protection and token lifecycle management.

Purpose and usage: The main purpose of jti is to prevent the same token from being used

Generation and format: jti values should be globally unique for the issuer. Common choices include cryptographically

Limitations and considerations: Replay protection with jti requires state: the issuing service or a central validator

Relation to JWT practice: jti is one of the registered claims in JWT, alongside others such as

more
than
once.
When
a
JWT
is
issued,
a
unique
jti
value
is
included
in
the
payload.
On
subsequent
token
presentations,
the
recipient
or
an
authorization
server
can
check
whether
that
jti
has
been
seen
before
and
reject
duplicates.
Implementations
typically
store
observed
jti
values
in
a
database
or
cache
for
a
period
aligned
with
the
token’s
validity.
strong
random
strings
or
UUIDs
(for
example,
UUID
v4).
The
value
is
encoded
as
a
string
within
the
JWT
payload.
must
persist
seen
jti
values.
In
stateless
validation
scenarios,
replay
protection
via
jti
is
harder
to
enforce
unless
paired
with
a
separate
revocation
or
session-management
mechanism.
Practical
considerations
include
handling
clock
skew,
setting
appropriate
token
lifetimes,
and
cleaning
up
old
jti
records
to
manage
storage.
iss
(issuer),
sub
(subject),
exp
(expiration
time),
and
aud
(audience).
Its
use
is
recommended
in
systems
where
replay
resistance
or
token
auditing
is
important,
but
it
is
not
mandated
for
all
JWT
deployments.