183

I need to know the maximum length of

JSON Web Token (JWT)

In specs there are no information about it. Could be that, there are no limitations in length ?

Bogdan
  • 1,945
  • 2
  • 12
  • 8

3 Answers3

144

I've also been trying to find this.

I'd say - try and ensure it's below 7kb.

Whilst JWT defines no upper limit in the spec (http://www.rfc-editor.org/rfc/rfc7519.txt) we do have some operational limits. As a JWT is included in a HTTP header, we've an upper limit (SO: Maximum on http header values) of 8K on the majority of current servers.

As this includes all Request headers < 8kb, with 7kb giving a reasonable amount of room for other headers. The biggest risk to that limit would be cookies (sent in headers and can get large).

As it's encrypted and base64ed there's at least 33% wastage of the original json string, so do check the length of the final encrypted token.

One final point - proxies and other network appliances may apply an abitrary limit along the way...

Community
  • 1
  • 1
penderi
  • 8,673
  • 5
  • 45
  • 62
  • 2
    Is there any practical reason to avoid "large" tokens in the 2-3kb range? – Samuel Elrod Mar 28 '16 at 17:09
  • 1
    @SamuelElrod it likely depends on your application's requirements. 2-3kb for every request involving a JWT adds a decent amount of baggage to be bringing over the wire every time. If that impacts user perceived performance, then you would limit that. – Jack Sep 26 '16 at 18:32
  • 2
    Try to avoid bloating your token. I'd say 2-3k is already getting way too big, what do you have in there? My current token is 320 bytes. – user2800708 Nov 07 '16 at 14:27
  • 7
    I'm considering putting a privileges map in mine. it will contain the current user's common JWT info, as well as a map containing the user_id and privilege type for all of the users for which they have privileges. This could theoretically grow without bound. – Nate May Jun 08 '17 at 23:48
  • Hey Nate, I guess you've come across scopes in a JWT? That's broadly where we were going, with some baked in state from Auth useful downstream. – penderi Jun 09 '17 at 07:50
  • 1
    Interesting, I'm also considering shoveling a map of privileges right now. Right now my plan is to use naive approach and shovel them as JSON array, and if it's a problem I will try to pack the content in a binary-like format in future. – Ciantic Jun 09 '17 at 08:38
  • The issue comes down to applications which may allow users to have numerous roles, in the hundreds. I'm experiencing an issue where the tokens can become 11k in size just because of all the roles a user can have. And there's no way to create a unique bit set out of them as the roles are dynamic strings. – Andrew T Finnell Nov 27 '18 at 20:09
  • How would you have a client store a 7kB jwt? Most browsers don't allow cookies larger than 4kB. Are you using local storage and shunting the jwt into some non-cookie header? – Patrick M Jul 01 '19 at 15:32
  • I've just tested this on Apache. Its not that "sum of ALL request headers should be < 8k". Its like per header value cannot exceed 8k for example on Apache doco: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize – kiran01bm Dec 16 '19 at 06:28
  • "I'm experiencing an issue where the tokens can become 11k in size just because of all the roles a user can have" @AndrewTFinnell if that's the case i'd consider moving from RBAC to ReBAC :) – Maria Ines Parnisari Mar 02 '22 at 22:41
110

As you said, there is no maximum length defined in the RFC7519 (https://www.rfc-editor.org/rfc/rfc7519) or other RFCs related to JWS or JWE.

If you use the JSON Serialized format or JSON Flattened Serialized format, there is no limitation and there is no reason to define a limitation.

But if you use the JSON Compact Serialized format (most common format), you have to keep in mind that it should be as short as possible because it is mainly used in a web context. A 4kb JWT is something that you should avoid.

Take care to store only useful claims and header informations.

Community
  • 1
  • 1
Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
15

When using heroku the header will be limited at 8k. Depending of how much data are you using on jwt2 it will be reach. The request, when oversize, will not touch your node instance, heroku router will drop it before your API layer..

When processing an incoming request, a router sets up an 8KB receive buffer and begins reading the HTTP request line and request headers. Each of these can be at most 8KB in length, but together can be more than 8KB in total. Requests containing a request line or header line longer than 8KB will be dropped by the router without being dispatched.

See: Heroku Limits

Tiago Gouvêa
  • 15,036
  • 4
  • 75
  • 81