The parts of JWT security nobody talks about

This page contains the resources for the talk titled "The parts of JWT security nobody talks about". The slide deck contains a lot of information, as it is from an in-depth session. Shorter versions of the talk skip some of the topics.

Apart from the slides, a cheat sheet covers a set of best practices for securely using JWTs. A guest post for Ping Identity digs into a bit more details.


JSON Web Tokens (JWT) have become the de facto standard to transfer application claims between the client and the server. By design, they incorporate the use of signatures to ensure the integrity of the data. However, merely signing the data alone is not enough to guarantee security.

In this talk, we zoom into the security properties of JWTs. After introducing the different signature schemes, we dive into the hard parts nobody talks about. How do you manage and identify the keys used for the signature? How do you handle key rotation? And what about encrypting JWTs? This talk answers all these questions. You will walk away with a set of best practices for adequately securing JWTs.

About Philippe De Ryck

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.