POC about usage of JSON Web Tokens (JWT) in a secure way.


It's the code repository of the OWASP cheatsheet JSON Web Token (JWT) Cheat Sheet for Java.

A web page propose the creation, validation and revocation of the token, see the image below:

Get a token:


Token stored in browser session storage:


Associated user fingerprint hardened cookie issued to tackle token sidejacking:


Verification of the token:


Revocation of the token (logout):


Verification of the token indicating that the token has been revoked and is not valid anymore:


All classes are fully documented.

The project was developed with JAX-RS + Maven under IntelliJ IDEA Community Edition.

Build or Run

You can also use the Run Application running configuration from Intellij project.

Run the following command to create a WAR archive:

mvn clean package

Run the following command to run the prototype (application will be available on https://localhost:8443):

mvn tomcat7:run-war