What is the maximum size of JWT token?

by

I’ve also been trying to find this.

I’d say – try and ensure it’s below 7kb.

Whilst JWT defines no upper limit in the spec (http://www.rfc-editor.org/rfc/rfc7519.txt) we do have some operational limits.
As a JWT is included in a HTTP header, we’ve an upper limit (SO: Maximum on http header values) of 8K on the majority of current servers.

As this includes all Request headers < 8kb, with 7kb giving a reasonable amount of room for other headers. The biggest risk to that limit would be cookies (sent in headers and can get large).

As it’s encrypted and base64ed there’s at least 33% wastage of the original json string, so do check the length of the final encrypted token.

One final point – proxies and other network appliances may apply an abitrary limit along the way…

More Related Contents:

  1. RS256 vs HS256: What’s the difference?
  2. What format is the exp (Expiration Time) claim in a JWT
  3. If you can decode JWT, how are they secure?
  4. JWT (JSON Web Token) automatic prolongation of expiration
  5. JWT authentication for ASP.NET Web API
  6. Best HTTP Authorization header type for JWT
  7. Use multiple JWT Bearer Authentication
  8. Where to save a JWT in a browser-based application and how to use it
  9. How to decode JWT Token?
  10. How Spring Security Filter Chain works
  11. Verifying JWT signed with the RS256 algorithm using public key in C#
  12. Is it safe to put a jwt into the url as a query parameter of a GET request?
  13. What if JWT is stolen?
  14. Do I have to store tokens in cookies or localstorage or session?
  15. Decoding and verifying JWT token using System.IdentityModel.Tokens.Jwt
  16. secure api data from calls out of the app
  17. How to handle file downloads with JWT based authentication?
  18. Standalone Spring OAuth2 JWT Authorization Server + CORS
  19. How to validate signature of JWT from jwks without x5c
  20. JWT on .NET Core 2.0
  21. How to verify JWT id_token produced by MS Azure AD?
  22. NSData won’t accept valid base64 encoded string
  23. Send mail via Google Apps Gmail using service account domain wide delegation in nodejs
  24. Getting only decoded payload from JWT in python
  25. How to get user id using jwt token
  26. Single sign-on flow using JWT for cross domain authentication
  27. ASP.NET core JWT authentication always throwing 401 unauthorized
  28. is it bad to pass jwt token as part of url?
  29. Azure AD Custom Claims in JWT
  30. Get claims from a WebAPI Controller – JWT Token,

Leave a Comment