Scott Arciszewski:

If you can get away with never using JWT, all the better. Unfortunately, you don’t always have a choice in the matter. Sometimes you need a JWT parser for the sake of interoperability or backwards compatibility. Other times, you need one for political reasons.

As one of JWT’s most vocal critics, and a cryptography/security nerd who obsesses over making tools that are easy to use and hard to misuse, I thought I would take a stab at the opposite of the above approaches. Rather than list off the known ways to implement JWT insecurely and muse about mitigation strategies, I will instead offer my strategy for building a JWT library from better security principles.