sign an unsigned token, the process is as follows. unsignedToken = encodeBase64(header) + '.' + encodeBase64(payload) signature_encoded = encodeBase64(HMAC-SHA256("secret", unsignedToken)) jwt_token = encodeBase64(header) + "." + encodeBase64(payload) + "." + signature_encoded JWT is not vulnerable to CSRF (except when JWT is put in a cookie) Session theft through an XSS attack is possible when JWT is used Improper token storage (HTML5 storage/cookie) Sometimes the key is weak and can be brute-forced Faulty token expiration JWT can be used as Bearer token in a custom authorization header JWT is being used for stateless applications. JWT usage results in no server-side storage and database-based session management. All info is put inside a signed JWT token. - Only relying on the secret key - Logging out or invalidating specific users is not possible due to the above stateless approach. The same signing key is used for everyone. #HMAC S
Way to Divergence