[mcny]

I would suggest everyone to stay away from jwt unless they're willing to spend the time to learn how it works.

I believe the meta is that jwt is solid itself but allows doing things "wrong". Guardrails so to speak are insufficient if not outright lacking.

I'd say just go with plain text token for a web app. I don't like the idea of trusting the client because I don't understand how jwt works.

[Raed667]

Trusting in what sense? If my token only has the userId as data, what kind of trust is needed?

[mfontani]

Some libraries don't make it easy (or possible) to check that the algorithm used by the JWT sent by the client is in fact the algorithm you're using and want the client to come back with, see i.e. https://auth0.com/blog/critical-vulnerabilities-in-json-web-...

[Raed667]

I see, but sticking to HS256 should solve this without much headache.