[antoaravinth]

>> Finally: don't use JWT. JWT terrifies me, and it terrifies all the crypto engineers I know. As a security standard, it is a series of own-goals foreseeable even 10 years ago based on the history of crypto standard vulnerabilities. Almost every application I've seen that uses JWT would be better off with simple bearer tokens.

This is really surprising to me. I use Play! framework and the whole play framework community suggests to use JWT for authentications as Play! doesn't support sessions out of the box. Is it just JWT itself is bad or how developers use it is bad? Just a noob question.

[wolf550e]

It is a standard for crypto created by non-crypto people. It is bad, don't use it. Using it correctly is harder than rolling your own stupid simple bearer token, which is very rare for standards. Using stateful authentication is even simpler. Using django or something like that is even simpler.