After reading the pitfalls and mitigations section, I'm starting to wonder why JWTs/JWEs/etc are even adopted despite these attacks demonstrated by many cryptographers mentioned in this book. Since JWTs allow for a choice of algorithms (algorithm agility) to sign/verify the tokens, it allows room for many developers to shoot themselves in the foot in securing these tokens, hence the multiple vulnerabilities documented in this book.<p>It's worth looking at better alternatives that are more cryptographically secure and have sane defaults than JWTs these days. I'd rather use either PASETO [0], Branca [1] or Fernet [2] Tokens at this point.<p>[0] <a href="https://paseto.io/" rel="nofollow">https://paseto.io/</a><p>[1] <a href="https://branca.io/" rel="nofollow">https://branca.io/</a><p>[2] <a href="https://github.com/fernet/spec/" rel="nofollow">https://github.com/fernet/spec/</a>