The Curated Daily
← Back to the archiveDispatch · 6 min read
Dispatch

Stop Using JWTs

By the editors·Tuesday, June 16, 2026·6 min read
Close-up of hands using a laptop and credit card for an online payment or shopping transaction.
Photograph by Pavel Danilyuk · Pexels

JSON Web Tokens (JWTs) have become ubiquitous in modern web development, particularly in the realm of microservices and API-driven architectures. Their convenience is undeniable – a self-contained, digitally signed object that holds information about a user, perfect for stateless authentication. However, for the finance industry, relying on JWTs is increasingly looking like a reckless gamble. This article will explain why JWTs are deeply flawed and outline more secure alternatives for protecting sensitive financial data.

The Allure (and Illusion) of JWTs

JWTs rose to prominence because they appeared to solve several key problems:

  • Stateless Authentication: JWTs eliminate the need for server-side sessions, simplifying scaling and deployment. This is crucial for microservices architectures common in fintech.
  • Ease of Implementation: Libraries for generating and verifying JWTs exist in almost every programming language.
  • Information Packaging: They allow you to embed user roles, permissions, and other information directly within the token itself.

However, the perceived benefits often overshadow significant, and often catastrophic, security vulnerabilities. The core problem isn’t what a JWT is, but how it’s commonly implemented and the inherent limitations of its design.

Why JWTs Are a Disaster Waiting to Happen in Finance

The financial sector is a prime target for cyberattacks. The stakes are incredibly high – money, sensitive personal data, and regulatory compliance. JWTs, despite their popularity, are demonstrably insecure in several key ways:

  • Secret Management: JWTs rely on a shared secret for signing and verification. If this secret is compromised, attackers can forge tokens and impersonate any user. This seems obvious, but poor secret management is rampantly common. Secrets stored in code repositories, config files, or even hardcoded into applications are easily discovered.
  • Algorithm Confusion Attacks: The alg header in a JWT specifies the signing algorithm. Attackers can often manipulate this header to downgrade the algorithm to a weaker one (like none – meaning no signature at all) or exploit vulnerabilities in specific algorithms. This is shockingly easy to execute.
  • Token Replay Attacks: Once a JWT is issued, it's valid until it expires. An attacker who intercepts a valid JWT can reuse it, gaining unauthorized access until the token’s expiration. This is a classic security problem exacerbated by the long-lived nature of many JWTs.
  • Lack of Revocation: This is perhaps the biggest flaw for finance. JWTs, by design, are difficult to revoke. Once issued, they’re valid until they expire. What happens if a user's account is compromised? You need to be able to invalidate the token immediately. While workarounds exist (like maintaining a blacklist), they reintroduce statefulness, defeating one of the primary benefits of using JWTs in the first place and often being implemented poorly.
  • Header and Payload Tampering: While the signature protects against modification of the payload, attackers can often manipulate the header to insert malicious code or bypass security checks.
  • Cross-Site Scripting (XSS) Vulnerabilities: If a JWT is stored in browser storage (like localStorage or cookies), it's vulnerable to XSS attacks. An attacker injecting malicious JavaScript can steal the token and compromise the user’s account.

Real-World Examples & Recent Breaches

While many security flaws are theoretical, there have been numerous real-world incidents demonstrating the dangers of JWT misuse. Exploits leveraging algorithm confusion attacks have been demonstrated against major platforms. The ease with which these attacks can be executed is chilling. (Research recent JWT vulnerabilities – new exploits are discovered frequently.) While pinpointing breaches specifically caused by JWTs is often difficult due to the complexity of security incidents, the potential for JWT-related compromise is always present in systems that use them.

Safer Alternatives for Fintech Authentication

If JWTs are so problematic, what should you use instead? Here are several alternatives, ranging from slightly better to significantly more secure:

  • OPAQUE Tokens: Instead of embedding information within the token itself, use a randomly generated, opaque string as the token. The server then looks up the associated user information in a database. This eliminates the payload tampering risks and simplifies revocation. This is a significant improvement, but still requires robust secret management.
  • Reference Tokens (Backed by a Session Store): Similar to opaque tokens, but the token is a reference to a server-side session. This allows for immediate revocation. This approach reintroduces some statefulness, but the benefits often outweigh the drawbacks in a high-security environment.
  • OAuth 2.0 and OpenID Connect (OIDC): This is the recommended approach for most fintech applications. OAuth 2.0 is a framework for delegated authorization, while OIDC adds an identity layer on top.
    • How it works: Users authenticate with an Identity Provider (IdP). The IdP issues access tokens (often, but not always, JWTs – and even when using JWTs, the IdP controls the signing and revocation process). Your application receives these tokens and uses them to access resources on behalf of the user.
    • Benefits:
      • Delegated Access: Users don’t share their credentials directly with your application.
      • Centralized Authentication: The IdP handles authentication, simplifying your application’s security model.
      • Revocation: The IdP can revoke tokens at any time.
      • Industry Standard: OIDC is widely adopted and well-supported.
  • Passkeys (WebAuthn/FIDO2): Emerging as a highly secure authentication method, passkeys eliminate the need for passwords altogether, relying on cryptographic key pairs stored on devices. While still evolving, passkeys offer strong protection against phishing and other common attacks. https://example.com/ – Consider a hardware security key to complement passkeys.
  • Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs): A cutting-edge approach offering self-sovereign identity. Users control their own identity data and selectively share verifiable credentials with applications. This is particularly relevant for applications requiring high levels of trust and data privacy.

A Practical Transition: Moving Away from JWTs

Migrating away from JWTs can seem daunting, but a phased approach is often the most effective:

  1. Audit Your Current JWT Usage: Identify all instances where JWTs are used in your applications.
  2. Prioritize Critical Areas: Focus on the most sensitive areas of your application first (e.g., transaction processing, account management).
  3. Implement a More Secure Alternative: Choose an alternative (e.g., OAuth 2.0/OIDC, opaque tokens) and integrate it into your applications.
  4. Gradually Deprecate JWTs: Phase out JWTs over time, starting with less critical areas.
  5. Regular Security Assessments: Continuously assess your security posture to identify and address new vulnerabilities.

Choosing the Right Solution: A Quick Comparison

| Feature | JWT | Opaque Tokens | OAuth 2.0/OIDC | Passkeys |

|---|---|---|---|---| | Statelessness | High | Low | Moderate (relies on IdP) | Low | | Revocation | Difficult | Easy | Easy | Easy | | Security | Low | Moderate | High | Very High | | Complexity | Low | Moderate | High | Moderate | | Secret Management | Critical | Important | IdP Managed | Device-Bound | | Fintech Suitability | Avoid | Acceptable (short-term) | Highly Recommended | Promising (future) |

Conclusion: Your Financial Security Depends On It

In the high-stakes world of finance, relying on insecure authentication mechanisms is simply unacceptable. While JWTs offer convenience, their inherent vulnerabilities pose a significant risk to your organization and your customers. Embrace more secure alternatives like OAuth 2.0/OIDC and explore emerging technologies like passkeys. Don’t let the ease of JWTs lull you into a false sense of security. Your financial future—and the trust of your customers—depends on making the right choice. https://example.com/ – Consider a security training course for your development team.

Disclaimer:

This article is for informational purposes only and should not be considered professional security advice. We may receive a commission if you purchase products through the affiliate links provided. We strive to provide accurate and up-to-date information, but the security landscape is constantly evolving. It is your responsibility to conduct thorough security assessments and implement appropriate security measures for your specific needs.

Pass it onX·LinkedIn·Reddit·Email
The Sunday note

If this was your kind of read.

Sign up for the morning email — short, hand-written, and sent only when there's something worth your time.

Free, sent from a person, not a system. Unsubscribe in one click whenever.

Keep reading

The archive →
DispatchJun 16, 2026

TIL: You can make HTTP requests without curl using Bash /dev/TCP

DispatchJun 15, 2026

I indexed 669 GB of my GoPro videos using my M1 Max computer and local ML models

DispatchJun 14, 2026

Not everyone is using AI for everything

DispatchJun 14, 2026

No, everyone is not using AI for everything