What is the maximum size of JWT token?

S

3

196

I need to know the maximum length of JSON Web Token (JWT).

There is no information about it in the specs. Are there are no limitations in length?

Shields answered 25/9, 2014 at 8:32 Comment(0)

A

114

As you said, there is no maximum length defined in the RFC7519 (https://www.rfc-editor.org/rfc/rfc7519) or other RFCs related to JWS or JWE.

If you use the JSON Serialized format or JSON Flattened Serialized format, there is no limitation and there is no reason to define a limitation.

But if you use the JSON Compact Serialized format (most common format), you have to keep in mind that it should be as short as possible because it is mainly used in a web context. A 4kb JWT is something that you should avoid.

Take care to store only useful claims and header informations.

Attired answered 25/9, 2014 at 8:43 Comment(0)

F

155

I've also been trying to find this.

I'd say - try and ensure it's below 7kb.

Whilst JWT defines no upper limit in the spec (http://www.rfc-editor.org/rfc/rfc7519.txt) we do have some operational limits. As a JWT is included in a HTTP header, we've an upper limit (SO: Maximum on http header values) of 8K on the majority of current servers.

As this includes all Request headers < 8kb, with 7kb giving a reasonable amount of room for other headers. The biggest risk to that limit would be cookies (sent in headers and can get large).

As it's encrypted and base64ed there's at least 33% wastage of the original json string, so do check the length of the final encrypted token.

One final point - proxies and other network appliances may apply an abitrary limit along the way...

Fatima answered 11/6, 2015 at 12:51 Comment(11)

Is there any practical reason to avoid "large" tokens in the 2-3kb range? – Hemotherapy 28/3, 2016 at 17:9

@SamuelElrod it likely depends on your application's requirements. 2-3kb for every request involving a JWT adds a decent amount of baggage to be bringing over the wire every time. If that impacts user perceived performance, then you would limit that. – Pipistrelle 26/9, 2016 at 18:32

Try to avoid bloating your token. I'd say 2-3k is already getting way too big, what do you have in there? My current token is 320 bytes. – Cords 7/11, 2016 at 14:27

I'm considering putting a privileges map in mine. it will contain the current user's common JWT info, as well as a map containing the user_id and privilege type for all of the users for which they have privileges. This could theoretically grow without bound. – Hoboken 8/6, 2017 at 23:48

Hey Nate, I guess you've come across scopes in a JWT? That's broadly where we were going, with some baked in state from Auth useful downstream. – Fatima 9/6, 2017 at 7:50

Interesting, I'm also considering shoveling a map of privileges right now. Right now my plan is to use naive approach and shovel them as JSON array, and if it's a problem I will try to pack the content in a binary-like format in future. – Peepul 9/6, 2017 at 8:38

The issue comes down to applications which may allow users to have numerous roles, in the hundreds. I'm experiencing an issue where the tokens can become 11k in size just because of all the roles a user can have. And there's no way to create a unique bit set out of them as the roles are dynamic strings. – Detribalize 27/11, 2018 at 20:9

How would you have a client store a 7kB jwt? Most browsers don't allow cookies larger than 4kB. Are you using local storage and shunting the jwt into some non-cookie header? – Carry 1/7, 2019 at 15:32

I've just tested this on Apache. Its not that "sum of ALL request headers should be < 8k". Its like per header value cannot exceed 8k for example on Apache doco: httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize – Orthodox 16/12, 2019 at 6:28

"I'm experiencing an issue where the tokens can become 11k in size just because of all the roles a user can have" @AndrewTFinnell if that's the case i'd consider moving from RBAC to ReBAC :) – Conveyancing 2/3, 2022 at 22:41

For the use-case of user-specific privileges (roles, urls, actions, buttons, etc.) consider putting that behind an API authenticated endpoint and cache it on the client, to avoid cookie size limits. – Morez 7/2 at 15:3

A

114

As you said, there is no maximum length defined in the RFC7519 (https://www.rfc-editor.org/rfc/rfc7519) or other RFCs related to JWS or JWE.

If you use the JSON Serialized format or JSON Flattened Serialized format, there is no limitation and there is no reason to define a limitation.

But if you use the JSON Compact Serialized format (most common format), you have to keep in mind that it should be as short as possible because it is mainly used in a web context. A 4kb JWT is something that you should avoid.

Take care to store only useful claims and header informations.

Attired answered 25/9, 2014 at 8:43 Comment(0)

O

15

When using heroku the header will be limited at 8k. Depending of how much data are you using on jwt2 it will be reach. The request, when oversize, will not touch your node instance, heroku router will drop it before your API layer..

When processing an incoming request, a router sets up an 8KB receive buffer and begins reading the HTTP request line and request headers. Each of these can be at most 8KB in length, but together can be more than 8KB in total. Requests containing a request line or header line longer than 8KB will be dropped by the router without being dispatched.

See: Heroku Limits

Outman answered 19/12, 2017 at 18:34 Comment(0)

Recommended topics

Hot tags