3

How do you measure the size of a JWT token? It is a long string value.

I would like the token to be less than 7 kb.

(https://medium.com/dataseries/public-claims-and-how-to-validate-a-jwt-1d6c81823826)

(https://stackoverflow.com/questions/26033983/what-is-the-maximum-size-of-jwt-token#:~:text=As%20a%20JWT%20is%20included,of%20room%20for%20other%20headers.)

HelloWorld1
  • 13,688
  • 28
  • 82
  • 145

1 Answers1

5

JWT is just 3 base64 strings, concatenated with . characters. So, unless you somehow force it into a wider character set, 1 character = 1 byte.

Total size will be a function of the signing algorithm in use, and the actual payload size. base64 has 3:4 overhead. So, your JWT will always be raw payload size * 1.25, plus signature and header. I usually just think of it as 1.5x overhead, and if you come in smaller that's a bonus.

All that said 7kb is pretty huge for something meant to be passed in an HTTP header. I don't know what the hard limit is, but practically speaking I like to stay under 1kb, and ideally under a few hundred characters.

superstator
  • 3,005
  • 1
  • 33
  • 43
  • 1
    I still don't understand about how to measure the size of a token. Please take a look at this link (https://medium.com/dataseries/public-claims-and-how-to-validate-a-jwt-1d6c81823826) and you will find a a long string value – HelloWorld1 Dec 17 '20 at 17:38
  • 1
    It's just a string. 1 character = 1 byte, unless you're doing something weird like using utf16 or utf32 over HTTP – superstator Dec 17 '20 at 17:39
  • Thank you for your help! – HelloWorld1 Dec 17 '20 at 20:35
  • @superstator in my case I've used [www.lettercount.com](https://lettercount.com) and there I pasted the Header + Payload + Verify Signature and total characters is below 300. Does that also means (by Google's 1kb = 1000 bytes) the size of my JWT is 0.3kB? I've read at [https://jwt.io/introduction](https://jwt.io/introduction) saying 8kB is the max limit which seems like they'd need over 8000 characters, I'm thinking what'd they write in there a poem lol? .. That's why I doubt if my calculations are right? – Aleksandar Jun 05 '23 at 20:20
  • 1
    @Aleksandar yes, your math is fine. 8k is not an immutable limit, it's just a common maximum for any header on various HTTP servers. That limit can be smaller, or larger, but keeping tokens as small as possible is always the safest bet – superstator Jun 06 '23 at 22:40