technicalguideAPI

JWT token management in HR SaaS: pitfalls to avoid

Name: CleanIssue
Price range: €€

Published on 2026-06-037 min readCleanIssue

JWT: quick refresher

JWTs are the de facto standard for authentication in SaaS. A signed token containing user information (ID, organization, role) that can be verified without a database call.

It's simple and performant. But that simplicity hides pitfalls that many HR vendors discover too late.

Pitfall 1: tokens that never expire

We see this regularly: access tokens with a 30-day lifetime, or no expiration at all. The argument is always the same: "we don't want users to log in too often."

The problem: if a token is stolen (XSS, network interception, compromised device), the attacker has access for 30 days. And since the JWT is self-contained, you can't revoke it server-side — it stays valid until expiration.

Recommendation: access tokens of 15 minutes maximum. Refresh tokens of 7 days with rotation on each use.

Pitfall 2: storing the JWT in localStorage

localStorage is accessible by any JavaScript on the page. An XSS flaw — even in a third-party dependency — allows stealing the token.

Recommendation: store the refresh token in an httpOnly, secure, SameSite=Strict cookie. The access token can stay in memory (JavaScript variable) — it's ephemeral anyway.

Pitfall 3: not verifying the signature

It sounds absurd, but we've seen it: the backend decodes the JWT without verifying the signature. Anyone can modify the payload (change the role from "user" to "admin") and the backend accepts it.

Always verify the signature with the secret or public key. And never accept the "none" algorithm.

Pitfall 4: overly broad claims

A JWT containing role, organization, but also email, name, department, manager... that's too much. The JWT is visible to the client (it's base64, not encryption). Limit yourself to claims necessary for authorization.

Pitfall 5: no revocation mechanism

When an employee leaves, when a user reports session theft, when you detect suspicious activity — you need to revoke the token immediately.

With short access tokens (15 min), the exposure window is limited. But for refresh tokens, maintain a revocation list (blacklist) in database or Redis cache.

JWT checklist for your HR SaaS

[ ] Access tokens: duration ≤ 15 minutes

[ ] Refresh tokens: duration ≤ 7 days with rotation

[ ] Storage: httpOnly cookie for refresh, memory for access

[ ] Signature verified on every request

[ ] "none" algorithm rejected

[ ] Minimal claims (ID, org, role only)

[ ] Working revocation mechanism

[ ] Refresh token rotated on each use

If you're unsure about your implementation, a CleanIssue First Review can verify these points in 48h.

Three adjacent analyses to keep exploring the same attack surface.

APIWebhook

API and webhook vulnerabilities: the 2026 guide to the mistakes that really expose data

Reference guide to the API and webhook mistakes that create real exposure: BOLA, mass assignment, sensitive business flows, HMAC signatures, overly verbose docs, and over-trusting callbacks.

2026-04-11 · 8 min read

technicalguide

File uploads in an HRIS: a practical security guide

File upload features are everywhere in HR SaaS. They're also one of the most underestimated attack vectors.

2026-06-02 · 8 min read

APIOWASP

OWASP API Top 10: the 10 API flaws to know in 2026

Analysis of the 10 most critical API vulnerabilities per the OWASP API Security Top 10 2023, with practical examples for each category.

2026-04-04 · 9 min read

Sources

Written by CleanIssue

Reviewed on 2026-06-03

datatracker.ietf.org

Related services

If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

API & webhook audit

Test OpenAPI, GraphQL, webhooks, and sensitive business endpoints for real exposure.

Next.js Audit

Check middleware, auth, handlers, and public bundles in the production app users actually get.