JWT Token Security and Best Practices
Was doing a ton of research and reading on JWT token security and found a bunch of references that were useful (and many that were not!). Here they are, maybe they will help you too:
This was the best complete guide all in one place… #11 is my favorite!
JWT Security Best Practices
What you should consider when using JWTs in your applications.
Here is what they are referring to:
Stop using JWT for sessions – joepie91′s Ramblings
Update – June 19, 2016: A lot of people have been suggesting the same “solutions” to the problems below, but none of them are practical. I’ve published a new post with a slightly sarcastic flowchart – please have a look at it before suggesting a solution.
Stop using JWT for sessions, part 2: Why your solution doesn’t work – joepie91′s Ramblings
Almost a week ago I published an article explaining why you shouldn’t use JSON Web Tokens as a session mechanism.
Auth0 also has some excellent resources as well, here is one:
Critical vulnerabilities in JSON Web Token libraries
Which libraries are vulnerable to attacks and how to prevent them.
Here are some others:
They say they do everything client side, but I’d be scared to put any real tokens in here…
Decode, verify and generate JSON Web Tokens with our online debugger.
JWT Attack Walk-Through
There’s a well-known defect  with older versions of certain libraries where you can trick a JSON Web Token (JWT) consumer that expects tokens signed using asymmetric cryptography into accepting a symmetrically signed token. This article assumes you’re comfortable with JWTs and the theory of this …
And if you want to try at cracking some JWTs…
JWT brute force cracker written in C. Contribute to brendan-rius/c-jwt-cracker development by creating an account on GitHub.
If you find any additional resources, please drop me an email.