Here's your recommendations: https://security.stackexchange.com/a/233863/111020

And yes I just spent 2 hours writing that.

There can't be a great authentication/crypto that can improve over time. In theory, it must block old things to be state of the art. In practice, it's used in client-server communications, that would break all communications if nothing could talk unless they're always on the exact same version.

Good recommendation. I should add that RSA is faster on verification but slower on signing than ECDSA. For most application, the amount of traffic is small enough that the difference doesn't matter but for large enough traffic, you should consider the difference. The performance of course depends on a lot of factors but

https://connect2id.com/blog/nimbus-jose-jwt-6

would give some reasonable idea on the practical difference on modern hardware.

Lovely. Thanks for writing this.

Paseto appears to be something that attempts to be "JWT but with sensible choices already made".

When it comes down to it, you need some crypto knowledge to make these choices. We constrain them to PS256 and ES256 in our system (but then you also need to make sure that the curve used for your keys for the ES256 signature is an acceptable one)

Yeah, at this point, just use PASETO and be done with it. It's not worth trying to figure out which JWT misconfiguration will burn you next.

From pypaseto

“ This is still in early development. It has not been reviewed in a security audit yet, so please be aware that it is not expected to be ready for use in production systems.”

Is that remark about that specific implementation or the spec as a whole?

Just for the specific implementation. The reference implementation is the PHP version here:

https://github.com/paragonie/paseto

And has had a lot more attention.

The SPIFFE JWT-SVID standard attempts this, although for a specific context: https://github.com/spiffe/spiffe/blob/master/standards/JWT-S...