What to include in JWT token
What data should be include into the JWT token, and what should be avoided to ensure security? Currently, the token includes the username, role, iss, aud, and exp
1 Reply
unless you use encrypted tokens, only include non-sensitive stuff. treat it as plain text
you should rarely need to include secret stuff thou, remember that as long as the JWT is signed, its essentially read-only anyways