JWT No Expiry

JWT tokens signed without an expiration

warningSecurityjwt-no-expiry

Why this matters

A JWT without an expiration never becomes invalid. If it's stolen, the attacker has permanent access — there's no way to revoke it without changing the signing key for everyone.

✗ Bad

import jwt from "jsonwebtoken";

const token = jwt.sign(
  { userId: user.id, role: user.role },
  process.env.JWT_SECRET!
);

✓ Good

import jwt from "jsonwebtoken";

const token = jwt.sign(
  { userId: user.id, role: user.role },
  process.env.JWT_SECRET!,
  { expiresIn: "1h" }
);

How to fix

Always set an expiresIn (or exp claim) when signing JWTs. Use short-lived access tokens (15min-1hr) with refresh tokens for longer sessions.

All rules