Subscribe for Free Tips, Tutorials, and Special Discounts
We're in this together!
We respect your privacy. Unsubscribe at any time.
Question: How do I securely store JWTs on the client?
Answer: User JWTs, which are usually returned either as cookies or in JSON payloads in reponse to a successful login, are transient (they don't last forever) and are meant to be stored on the client. They are not meant to be kept secret, and are not dangerous to be on the client. They are simply used to identify the user. You don't need to obsfuscate or obscure them in any way since they will be clearly visible in the headers of any request the client makes to the server in the Network tab, usually in the Authorization
header where you see Bearer-Token: YOUR_JWT_HERE
.
You can, and probably should, store them in LocalStorage
on the client so that if the customer comes closes the window then comes back quickly they can pick up where they left off. Most auth services providers and libraries handle all of this automatically for you. So make sure those your library isn't already handling the LocalStorage
part for you before you go and do it yourself.
It's worth noting that JWT security varies between application types. There are low security applications where you only need to login every once in a while. There a medium security applications where you need to login more frequently, or in response to specific actions like changing your password. And there are high security applications where you need to login every at short regular intervals and the JWT is never persistently stored. The security of your application will determine how you handle JWTs.
Share this article with your friends
Written by Jack Herrington
Jack Herrington is a Full Stack Principal Engineer who orchestrated the rollout of React/NextJS at Walmart Labs and Nike. He is also the "Blue Collar Coder" on YouTube where he posts weekly videos on advanced use of React and NextJS as well as other frontend technologies trends. His YouTube channel hosts an entire free courses on React and TypeScript. He has written seven books including most recently No-BS TypeScript which is a companion book to the YouTube course.