Long-form posts on JWT security, signing-key rotation, and modern auth alternatives.https://jwt.tooljo.com/en-ushttps://jwt.tooljo.com/blog/jwt-claims-everyone-forgets/https://jwt.tooljo.com/blog/jwt-claims-everyone-forgets/iss, aud, jti, nbf, sub. The JWT spec defines these for a reason — but most production code only checks exp and the signature. Here's why each of the others matters.Tue, 28 Apr 2026 00:00:00 GMThttps://jwt.tooljo.com/blog/fast-jwt-cve-2026-34950/https://jwt.tooljo.com/blog/fast-jwt-cve-2026-34950/An algorithm-confusion bug in fast-jwt was patched in 2024, then partially re-introduced by a refactor. Here's the diff, the attack, and what to check in your own JWT code.Mon, 27 Apr 2026 00:00:00 GMT