# JWT Usage and Pitfalls One-sentence definition: Use JSON Web Tokens safely with proper signing, rotation, and scope limits. ## Key Facts - Always sign (or encrypt) with strong algorithms; reject `none`/weak algs. - Keep TTLs short; use refresh tokens carefully; support revocation lists. - Validate `aud`, `iss`, `exp`, `nbf`; pin keys (kid) to trusted JWKS. - Avoid storing sensitive data in JWT; size impacts headers/caches. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Spot alg confusion and long-lived tokens. **Mnemonic:** “**Signed, short, scoped**.” ## Mini Scenario Q: App accepts `alg=none`—risk/fix? A: Token forgery; force whitelist of allowed algs and libraries. ## Revision Checklist - Two claim validations. - Short TTL reason. - Revocation method. ## Related [[Authentication Best Practices (Passwordless MFA OIDC)]] · [[Authorization Design (RBAC ABAC Policy Engines)]] · [[Web Session Management (Cookies Tokens Timeouts)]] · [[Service-to-Service Auth (API Keys OAuth mTLS DPoP)]] · [[Domain 8 - Index]]