Auth0 Home Blog Docs

Are JWT and Auth0 safe?



I’m interested in using Auth0, and began learning about JWTs, but now I’m stumbling upon “Don’t Use JWT!” blog posts everywhere.

I’m thoroughly scared off of using them standalone, but I suspect Auth0 fixes a lot of these vulnerabilities in your libs.

Are these things true (JWT bad, Auth0 safe)?

If so, is there a blog post on the differences to put my mind at ease?


JWT are not inherently bad; yes there are reported problems related to those specifications, but everyday there are vulnerabilities reported within software, standards and protocols in general so it seems like the only safe option is to turn off the computer and don’t use it.

However, the JWT related specifications are sufficiently complex to warrant a red flag if you intend to implement it yourself. The best course of action in relation to JWT and authentication/authorization in general is to reuse as most as possible and try to stay away from custom implementations. If you use third-party libraries or services it’s highly likely that the people behind those libraries and services spend much more time in thinking about the possible security issues than you would spend.

Your objective is to get business value from your application and implement what your users want. Security is necessary, but it’s best to delegate it to a trusted third-party library or service.

The question you posted is also not the first about this so you may find the relevant links a good read: