Redact JWT Tokens from Logs

Redacting JWT Tokens

JSON Web Tokens (JWTs) are widely used for authentication and authorization. They appear in HTTP headers, cookies, URL parameters, and application logs. A leaked JWT can allow an attacker to impersonate a user for the duration of the token's validity.

JWT Structure

A JWT consists of three Base64url-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This predictable structure — header.payload.signature — makes JWTs straightforward to detect with regex:

eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+

The pattern anchors on the eyJ prefix, which is the Base64url encoding of {"} — the opening of every JWT header and payload JSON object.

Why JWTs Are Dangerous to Leak

Unlike API keys, JWTs are self-contained tokens that carry their own authorization claims. A leaked JWT gives an attacker:

• Session access — They can make API calls as the authenticated user
• Claim information — The payload often contains user IDs, emails, roles, and permissions
• Time-limited but immediate risk — Valid until the exp claim expires (often 15 minutes to 24 hours)

Where JWTs Leak

• Application logs — Logging the full Authorization header is a common mistake
• Browser developer tools screenshots — Network tab shows bearer tokens
• Error reports — Stack traces that include request context
• CI/CD output — Integration test logs that print HTTP requests

Redaction Strategy

The Secret Redactor detects the characteristic eyJ...eyJ... pattern and replaces the entire token with [REDACTED_JWT]. This preserves the structure of surrounding text (e.g., Authorization: Bearer [REDACTED_JWT]) while removing all sensitive data.