i’ve had a lot of JWT related discussions at work lately and today I wondered how big is too big for a JWT to fit through an HTTP header. The HTTP spec doesn’t really impose a limit but most servers do set a limit that range between 8K – 16K bytes.
I figured I can whip up a quick jwt generator to get a rough sense of how big JWT’s can get!
for simplicity I made the key value pairs small strings (these will vary in real life of course) and defined a byte limit of 8K. Also to save battery I increased the key counts exponentially 😀
ok here’s the script. can you guess what the key limit is using back of napkin calc?
require "jwt"
byte_limit = 8000
bytesize = 0
key_count = 1
rsa_private = OpenSSL::PKey::RSA.generate 2048
while bytesize < byte_limit
payload = {}
key_count.times do |i|
payload["foo_#{i.to_s}"] = "bar"
end
token = JWT.encode payload, rsa_private, 'RS256'
bytesize = token.bytesize
puts "bytesize: #{bytesize}, key_count: #{key_count}"
key_count *= 2
end
Code language: PHP (php)
And here’s the output:
bytesize: 384, key_count: 1
bytesize: 403, key_count: 2
bytesize: 440, key_count: 4
bytesize: 515, key_count: 8
bytesize: 672, key_count: 16
bytesize: 992, key_count: 32
bytesize: 1632, key_count: 64
bytesize: 2950, key_count: 128
bytesize: 5680, key_count: 256
bytesize: 11142, key_count: 512
Code language: HTTP (http)
so with 512 keys we exceeded 8K bytes ~