=== Best practices

Some best practices when working with JWT:

- Fix the algorithm, do not allow a client to switch the algorithm.
- Make sure you use an appropriate key length when using a symmetric key for signing the token.
- Make sure the claims added to the token do not contain personal information. If you need to add more information opt for encrypting the token as well.
- Add sufficient test cases to your project to verify invalid tokens actually do not work. Integration with a third party to check your token does not mean you do not have test your application at all.
- Take a look at the best practices mentioned in https://tools.ietf.org/html/rfc8725#section-2