What is the maximum size of JWT token?

I need to know the maximum length of

JSON Web Token (JWT)

In specs there are no information about it. Could be that, there are no limitations in length ?

Solution 1:

I've also been trying to find this.

I'd say - try and ensure it's below 7kb.

Whilst JWT defines no upper limit in the spec (http://www.rfc-editor.org/rfc/rfc7519.txt) we do have some operational limits. As a JWT is included in a HTTP header, we've an upper limit (SO: Maximum on http header values) of 8K on the majority of current servers.

As this includes all Request headers < 8kb, with 7kb giving a reasonable amount of room for other headers. The biggest risk to that limit would be cookies (sent in headers and can get large).

As it's encrypted and base64ed there's at least 33% wastage of the original json string, so do check the length of the final encrypted token.

One final point - proxies and other network appliances may apply an abitrary limit along the way...

Solution 2:

As you said, there is no maximum length defined in the RFC7519 (https://www.rfc-editor.org/rfc/rfc7519) or other RFCs related to JWS or JWE.

If you use the JSON Serialized format or JSON Flattened Serialized format, there is no limitation and there is no reason to define a limitation.

But if you use the JSON Compact Serialized format (most common format), you have to keep in mind that it should be as short as possible because it is mainly used in a web context. A 4kb JWT is something that you should avoid.

Take care to store only useful claims and header informations.