
Ask HN: JSON Web Token (JWT) Implementation Experiences - sr_banksy
I have been playing around with JWT for a while now. Looks interesting enough for messing around with. However before adopting it in production, I&#x27;d love to hear your experiences, both good and bad, on it. What are some gotchas you&#x27;ve encountered?
======
Alex3917
\- Make sure your JWT framework has a way to revoke tokens issued to a user
before a certain date and/or when a user changes their password, in case their
token or password gets leaked.

\- Make sure there are no XSS vulnerabilities. JWT works best with JSON APIs,
because that way (in addition to sanitizing inputs) you can also add CSP
headers to prevent modern browsers from executing any JS returned from the
page.

