This handbook covers the origins of JSON Web Tokens (JWT), the problems they address, and the various algorithms for signing and encrypting them. It also includes best practices and recent updates for effective use of JWTs.

TruffleHog has introduced a new feature that detects JSON Web Tokens (JWTs) signed with public-key cryptography and verifies their liveness. This capability has already identified hundreds of exposed JWTs shortly after deployment, improving security for users. However, it does not currently support shared-secret-based JWTs or those from non-routing IPs.

This guide explains JSON Web Tokens (JWTs) and their importance in building secure and scalable identity systems. It covers JWT components, use cases, and best practices to mitigate common vulnerabilities.

This guide explains JSON Web Tokens (JWTs) and their significance in building secure and scalable identity systems. It covers JWT structure, advantages, common vulnerabilities, and best practices for implementation.

The author used the rep+ tool to discover a Supabase JWT embedded in a website's JavaScript, which led to unauthorized access to sensitive data, including password reset tokens. This exposure raised concerns about the enforcement of Row Level Security across the platform.

Cisco has addressed a critical vulnerability in its IOS XE Software for Wireless LAN Controllers, identified as CVE-2025-20188, which allows unauthenticated attackers to hijack devices due to a hard-coded JSON Web Token. Although the flaw is potent, it is only exploitable if the 'Out-of-Band AP Image Download' feature is enabled, which is not the default setting. Administrators are urged to apply security updates immediately to mitigate the risk.