
Free (Almost) JWT eBook - kouzant
https://auth0.com/resources/ebooks/jwt-handbook
======
rvz
After reading the pitfalls and mitigations section, I'm starting to wonder why
JWTs/JWEs/etc are even adopted despite these attacks demonstrated by many
cryptographers mentioned in this book. Since JWTs allow for a choice of
algorithms (algorithm agility) to sign/verify the tokens, it allows room for
many developers to shoot themselves in the foot in securing these tokens,
hence the multiple vulnerabilities documented in this book.

It's worth looking at better alternatives that are more cryptographically
secure and have sane defaults than JWTs these days. I'd rather use either
PASETO [0], Branca [1] or Fernet [2] Tokens at this point.

[0] [https://paseto.io/](https://paseto.io/)

[1] [https://branca.io/](https://branca.io/)

[2] [https://github.com/fernet/spec/](https://github.com/fernet/spec/)

