[ponytech]

I agree. I've read the whole article and still wonder why I should stop using JWT.

[slau]

You shouldn't. Simply check that the hash algorithm specified by the client is the one you used when issuing the token. In a side project, I simply hard code the algorithm [1].

[1]: https://github.com/teotwaki/grace-calendar/blob/develop/app/...

Edit: DYAC.