JWT Security in 2025: Are We Finally Free from Leaks?

With the move towards DevSecOps, where the onus of security shifts left towards developers, JSON Web Tokens (JWTs) have become ubiquitous across many organisations, used for API authentication and session management.
However, just because they are now so widely used, they are also a prime target for attackers, and new, more sophisticated methods of exploitation are emerging.
For example, a recent survey found that 49% of respondents said they had suffered from algorithm confusion attacks, where malicious actors swap out RSA (asymmetric) crypto for HS256 (symmetric), which, if the server hasn’t been configured properly, will allow authentication with a forged token.
Other weaknesses in JWTs include bad secrets, where insecure random number generators are used to create secrets, compromised keys, and token replays.
The solution is for developers to ensure they keep up to date with the latest best practices, and for organisations to ensure they maintain their systems appropriately.

Fast Feed