Hi @six8,
Thanks for sharing your findings with us. Normally when we write articles that explain how to secure an application we pass the algorithm from an app settings (or environment variable), which should match the same algorithm the authorization server uses to sign the JWT, here is an example: Build and Secure a FastAPI Server with Auth0
I’ll review the wording and add a note or partially rewrite this article to prevent any reader to get into confusion here, and thinking the code provided in the article is production ready.
Thanks a gain, I’ll post here again once the article is revised.