Skip to content
tooljo JWT tools
100% in your browser. Nothing you paste is uploaded — all processing runs locally. Read more →

Blog

Long-form posts on JWT security, signing-key rotation, and modern auth alternatives.

  1. JWT claims your auth team forgets to check (and how each one bit me)

    iss, aud, jti, nbf, sub. The JWT spec defines these for a reason — but most production code only checks exp and the signature. Here's why each of the others matters.

    5 min read #jwt #authentication #security #tokens

  2. fast-jwt CVE-2026-34950: how a regression re-enabled algorithm confusion

    An algorithm-confusion bug in fast-jwt was patched in 2024, then partially re-introduced by a refactor. Here's the diff, the attack, and what to check in your own JWT code.

    9 min read #jwt #security #cve #algorithm-confusion #fast-jwt

RSS feed →