A7: 2021 | JWT Tokens (19) | Cycubix Docs

Best practices

Some best practices when working with JWT:

  • Fix the algorithm, do not allow a client to switch the algorithm.

  • Make sure you use an appropriate key length when using a symmetric key for signing the token.

  • Make sure the claims added to the token do not contain personal information. If you need to add more information opt for encrypting the token as well.

  • Add sufficient test cases to your project to verify invalid tokens actually do not work. Integration with a third party to check your token does not mean you do not have test your application at all.

  • Take a look at the best practices mentioned in https://tools.ietf.org/html/rfc8725#section-2

Last updated