JSON Web Token Marks Ten Years as IETF Updates Security Best Practices

Figure 1: Visual representation of the BeyondTrust vulnerability chain

The JSON Web Token specification, published as RFC 7519 in May 2015, reached its ten-year anniversary this month. Mike Jones, one of the original co-authors of the JWT specification, published a retrospective on May 25, 2025, detailing the standard's evolution and announcing ongoing work to update security guidance.

According to Jones, the JWT specification emerged from a 4.5-year development process aimed at creating a simple JSON-based security token format. The standard was co-designed alongside OpenID Connect, the identity layer built on top of OAuth 2.0. Since publication, JWT has been adopted across authentication systems, API security, and applications its creators did not anticipate, including telephone call fraud prevention through the STIR/SHAKEN framework.

The anniversary coincides with active IETF work to revise security recommendations. Jones and co-authors Yaron Sheffer and Dick Hardt are updating the JSON Web Token Best Current Practices document, originally published as RFC 8725 in 2020. The revision addresses additional threats and mitigations identified over the past five years. A separate effort led by Brian Campbell and Chuck Mortimore is updating the JWT Profile for OAuth 2.0 to address vulnerabilities related to audience value ambiguities.

The updates reflect lessons learned from real-world deployments and security research conducted since the original specifications were published. The IETF drafts document specific attack vectors and recommended countermeasures, providing implementers with guidance to avoid common pitfalls.

JWT's widespread adoption makes these security updates significant for the broader authentication ecosystem. The token format is used in web applications, mobile apps, microservices architectures, and enterprise identity systems worldwide.

In May 2015, the Internet Engineering Task Force published RFC 7519, formally standardizing the JSON Web Token format. The specification was part of a larger suite of related standards including JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK).

On May 25, 2025, Mike Jones published a blog post titled "Ten Years of JSON Web Token (JWT) and Preparing for the Future" on his self-issued.info website. Jones served as one of the primary authors of the original JWT specification while working at Microsoft.

In the post, Jones described the development history. The JWT effort began in late 2010 and concluded with RFC publication in May 2015. The specification was designed to work with OpenID Connect, which uses JWT as its token format for identity assertions.

Jones noted that JWT adoption extended beyond its original intended use cases. He cited the STIR/SHAKEN framework, which uses JWT-based tokens to authenticate caller ID information and combat telephone fraud, as an example of unexpected adoption.

The blog post announced two ongoing IETF revision efforts. The first, draft-sheffer-oauth-rfc8725bis-01, updates the JWT Best Current Practices document. Jones, along with Yaron Sheffer and Dick Hardt, is authoring this revision. The second effort, draft-ietf-oauth-rfc7523bis-01, updates the JWT Profile for OAuth 2.0 Client Authentication. Brian Campbell and Chuck Mortimore lead that work.

According to Jones, the Best Current Practices update addresses "additional threats and mitigations that have become known in the last five years." The OAuth profile update specifically addresses "vulnerabilities caused by ambiguities in the audience values of tokens sent to the authorization server."

Figure 2: How the authentication bypass vulnerability works

Ten-year development and adoption: Jones stated that JWT development took 4.5 years from initial work to RFC publication. The specification was co-designed with OpenID Connect to ensure compatibility with modern identity protocols.

Unexpected adoption patterns: The STIR/SHAKEN telephone authentication framework adopted JWT for caller ID verification, an application the original authors did not anticipate. Jones cited this as evidence of the standard's success.

Active security revision work: Two IETF drafts are in progress. The draft-sheffer-oauth-rfc8725bis-01 document updates JWT Best Current Practices, while draft-ietf-oauth-rfc7523bis-01 updates the OAuth 2.0 JWT profile.

Audience value vulnerabilities: The OAuth profile revision specifically addresses ambiguities in how audience values are interpreted when tokens are sent to authorization servers. The OpenID Foundation published a security notice about this vulnerability class.

Five-year update cycle: The original JWT Best Current Practices document (RFC 8725) was published in 2020, five years after the core JWT specification. The current revision continues this pattern of periodic security guidance updates.

The IETF draft documents are publicly available and contain detailed technical specifications for the proposed changes. The draft-sheffer-oauth-rfc8725bis-01 document was at version 01 as of the blog post publication.

Standardized security guidance: The Best Current Practices updates provide implementers with consolidated guidance on avoiding known vulnerabilities. Organizations can reference the IETF documents when evaluating their JWT implementations.

Backward compatibility: The revision efforts focus on security guidance rather than changes to the core token format. Existing JWT implementations can adopt the recommendations without breaking compatibility with deployed systems.

Industry-wide coordination: The IETF process ensures that security improvements are developed through open collaboration. Multiple organizations and security researchers contribute to the drafts before publication.

Proactive vulnerability disclosure: By documenting known attack vectors and mitigations in official standards documents, the IETF provides a reference point for security audits and compliance requirements.

Continued relevance: The ten-year milestone and ongoing revision work indicate sustained investment in the JWT ecosystem. Organizations building on JWT can expect continued maintenance and security updates.

Figure 3: Privilege escalation from user to SYSTEM level

Implementation lag: Publishing updated best practices does not guarantee adoption. Organizations must actively review and update their implementations, which requires engineering resources and testing.

Complexity accumulation: Each revision adds new recommendations and considerations. The growing body of guidance increases the knowledge required to implement JWT securely.

Legacy system exposure: Systems built before the Best Current Practices updates may contain vulnerabilities addressed in newer guidance. Identifying and remediating these systems requires systematic review.

Audience ambiguity vulnerabilities: The specific vulnerability class being addressed in the OAuth profile update indicates that even well-established specifications can contain subtle security issues that emerge over time.

Draft status uncertainty: The revision documents remain in draft status as of May 2025. The final published versions may differ from current drafts, and the timeline for RFC publication is not specified.

JSON Web Tokens encode claims as JSON objects and provide mechanisms for signing and optionally encrypting the data. A typical JWT consists of three parts separated by periods: a header, a payload, and a signature.

The header specifies the token type and the cryptographic algorithm used for signing. Common algorithms include HMAC with SHA-256 (HS256) and RSA with SHA-256 (RS256). The payload contains claims, which are statements about an entity (typically a user) and additional metadata. Standard claims include issuer (iss), subject (sub), audience (aud), expiration time (exp), and issued at time (iat).

The signature is computed over the encoded header and payload using the specified algorithm and a secret key or private key. Recipients verify the signature using the corresponding secret or public key, confirming that the token has not been tampered with and was issued by a trusted party.

JWT is often used in authentication flows where a server issues a token after verifying user credentials. The client includes the token in subsequent requests, typically in the Authorization header. The server validates the token signature and checks claims like expiration time before processing the request.

Technical context (optional): The audience claim (aud) identifies the intended recipients of the token. The vulnerability being addressed in the OAuth profile update relates to how different systems interpret audience values, particularly when tokens are sent to authorization servers that may accept tokens intended for multiple audiences.

JWT has become foundational infrastructure for web authentication. Major identity providers including Google, Microsoft, and Auth0 issue JWT-formatted tokens. The OpenID Connect protocol, which builds on OAuth 2.0, mandates JWT for ID tokens.

The standard's adoption in the STIR/SHAKEN framework demonstrates its reach beyond web applications. Telephone carriers use JWT-based tokens to cryptographically sign caller ID information, enabling recipients to verify that calls originate from legitimate sources.

The ten-year milestone places JWT among the more mature web security standards. For comparison, OAuth 2.0 (RFC 6749) was published in 2012, and TLS 1.3 (RFC 8446) was published in 2018.

The ongoing revision work reflects a broader pattern in security standards maintenance. As deployment experience accumulates and security researchers identify new attack vectors, standards bodies update guidance documents. The five-year cycle between RFC 8725 and its proposed revision suggests a sustainable maintenance cadence.

The IETF's open process means that the draft documents are available for public review and comment. Organizations with JWT expertise can participate in the revision process by submitting feedback through IETF channels.

Confirmed:

• JWT (RFC 7519) was published in May 2015, marking ten years as of May 2025
• Mike Jones, a co-author of the original specification, published a retrospective on May 25, 2025
• Two IETF drafts are in progress: draft-sheffer-oauth-rfc8725bis-01 and draft-ietf-oauth-rfc7523bis-01
• The drafts address security issues identified since the original specifications
• The OpenID Foundation published a security notice about audience value ambiguities

Unclear:

• Timeline for the draft documents to reach RFC status
• Specific technical details of all vulnerabilities being addressed
• Adoption rates of existing Best Current Practices recommendations
• Whether additional revision efforts are planned beyond the two announced drafts

The IETF datatracker will show progress on both draft documents as they move through the standards process. Version increments and working group discussions indicate active development.

The OpenID Foundation may publish additional security notices or implementation guidance related to the audience value vulnerabilities. Organizations using OpenID Connect should monitor foundation communications.

Major identity providers may announce updates to their JWT implementations in response to the revised best practices. Documentation changes from providers like Auth0, Okta, and cloud platform identity services would indicate industry adoption.

Security research publications and conference presentations may reveal additional JWT vulnerability classes that could inform future revisions. Academic and industry security conferences often feature authentication protocol research.

The JWT.io website, maintained by Auth0, provides a decoder and library directory that may be updated to reflect best practices changes. The site serves as a common reference for JWT implementers.

1. Mike Jones, "Ten Years of JSON Web Token (JWT) and Preparing for the Future," self-issued.info, May 25, 2025. https://self-issued.info/?p=2708

2. M. Jones, J. Bradley, N. Sakimura, "JSON Web Token (JWT)," RFC 7519, IETF, May 2015. https://www.rfc-editor.org/rfc/rfc7519.html

3. Y. Sheffer, D. Hardt, M. Jones, "JSON Web Token Best Current Practices," draft-sheffer-oauth-rfc8725bis-01, IETF, 2025. https://www.ietf.org/archive/id/draft-sheffer-oauth-rfc8725bis-01.html

4. Hacker News discussion thread, May 25, 2025. https://news.ycombinator.com/item?id=44092102