JWT Best Practices
IETF RFC 8725 JWT security BCP.
Definition
RFC 8725 recommends: explicitly validate expected alg, accept only intended algorithms, verify issuer + audience + expiration, regular key rotation, limit token size, never store client secrets, prefer asymmetric for distributed validation. Lists known attacks: alg=none, key confusion, JWS/JWE substitution.
Origin
IETF OAuth WG, RFC 8725 published February 2020.
Usage
Reference for developers and security auditors implementing or reviewing secure JWT usage.