Subscribe to the Non-Human & AI Identity Journal

When should organisations use OAuth with JWT instead of one alone?

Use both when you need delegated access plus portable claims, such as OIDC-based login and multi-service API access. OAuth handles the permission grant, while JWT can carry the identity or access claims. This combination works best when teams also enforce short lifetimes, strict redirect validation, and secure token storage.

Why This Matters for Security Teams

OAuth and JWT solve different problems, which is why organisations often need both rather than treating them as interchangeable. OAuth is the delegation layer that lets one system act on behalf of a user or workload, while JWT is a portable token format that can carry claims across services. When teams confuse the two, they usually end up with weak session handling, brittle API trust, or token sprawl that is hard to audit.

This matters most when login, API authorisation, and service-to-service calls all share the same trust path. A JWT without sound delegation controls can be replayed or over-scoped, while OAuth without well-structured claims can force every service to call back to an identity provider for basic decisions. The right choice depends on whether the organisation needs delegated access, stateless verification, or both, and on how tightly tokens are bounded by audience, expiry, and revocation policy. The NIST Cybersecurity Framework 2.0 is useful here because it emphasises identity, access control, and continuous risk management as connected controls rather than separate silos.

NHIMG research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which makes token-based trust harder to govern in practice. In practice, many security teams encounter token abuse only after third-party access has already been granted and used.

How It Works in Practice

The common pattern is to use OAuth as the authorisation framework and JWT as the token container. A user or client obtains an access token through an OAuth flow, and that token is often a JWT so downstream services can verify claims locally without constant introspection. For login, OpenID Connect commonly sits on top of OAuth and issues an ID token, usually a JWT, to assert identity claims. For APIs, the access token may carry scope, audience, issuer, and expiry so each service can decide whether the request is allowed.

That combination is strongest when the organisation needs:

  • Delegated access across multiple services without re-authenticating every hop.
  • Stateless validation at the API edge, where local signature checks reduce dependency on the identity provider.
  • Portable claims for user context, tenant, role, or assurance level.
  • Short-lived tokens that limit replay if a token is exposed.

Best practice is to keep the JWT narrowly scoped, validate issuer and audience on every service, and store refresh tokens separately with stronger protection than access tokens. Use OAuth consent and grant controls to define what the client may do, then use JWT claims to communicate what the token represents. This is especially important in environments with third-party integrations, where a compromised app can become a broad trust bridge. NHIMG documents that OAuth-connected third parties are frequently poorly visible, and incidents such as the Salesloft OAuth token breach show how delegated tokens can be abused when governance is weak.

Teams should also align token design with revocation and rotation. JWTs are self-contained, but that does not remove the need for expiry, key rotation, or session invalidation strategy. The Ultimate Guide to NHIs is relevant because token misuse, excessive privilege, and poor rotation are recurring NHI failure modes across machine and service identities. These controls tend to break down when long-lived refresh tokens, broad scopes, and weak client authentication are combined in high-volume integration environments.

Common Variations and Edge Cases

Tighter token design often increases implementation and operational overhead, requiring organisations to balance stateless performance against revocation, observability, and integration complexity.

There is no universal standard for whether every access token should be a JWT. Some architectures prefer opaque oauth token with introspection because they want immediate revocation and central policy checks. Others use JWTs only for ID tokens and keep API access tokens opaque to reduce claim leakage. Current guidance suggests choosing JWT when downstream services need to verify claims independently, and choosing opaque tokens when central control and rapid invalidation matter more.

Edge cases arise in microservice meshes, B2B integrations, and partner ecosystems. If tokens cross organisational boundaries, the security team must validate issuer trust, key rotation cadence, and claim minimisation more carefully. If a JWT contains too much identity detail, it can expose unnecessary data even when the signature is valid. If OAuth scopes are too coarse, the token becomes functionally over-privileged even with a short lifetime. The Dropbox Sign breach is a reminder that third-party access and token handling failures can cascade quickly once trust is extended beyond the primary application.

For high-risk integrations, a hybrid model is often the practical answer: OAuth for delegated consent, JWT for bounded claims, and additional controls such as mTLS, sender-constrained tokens, or token exchange where the environment demands stronger proof-of-possession. In mixed environments, the guidance breaks down when legacy services cannot validate JWT claims consistently or when revocation must happen faster than token expiry allows.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Token rotation and expiry are central to preventing NHI token abuse.
OWASP Agentic AI Top 10 A-04 Autonomous clients need bounded, runtime-checked access rather than static trust.
NIST CSF 2.0 PR.AC-4 OAuth and JWT both support least-privilege access enforcement across systems.

Validate every token at request time and restrict claims to the minimum needed for the task.