11. Security Considerations

All security considerations from the JWS [JWS] and JWE [JWE] specifications apply to this specification. Therefore, implementers should carefully read the security considerations sections of those specifications.

11.1. Trust Decisions

The ability to use JWT contents for making trust decisions depends on the authenticity and integrity of those contents. When using digital signatures or MACs to protect JWTs, the authenticity and integrity of the JWT contents can be verified.

However, signing or MAC-protecting a JWT provides no guarantee about the origin of the JWT contents. The signature or MAC can only verify that the contents have not been altered since the signature or MAC was created. The verification of a signature or MAC does not determine who created the signature or MAC -- only that the holder of the key used for the signature or MAC performed that operation.

Therefore, implementations MUST establish a trust relationship between the JWT contents and the party that performed the signing or MAC operation. For example, for JWTs using public key cryptography, this might involve verifying the certificate chain of the public key used for signing to determine the identity of the signer.

11.2. Signing and Encryption Order

When both signing and encryption are applied to a JWT, the JWT should generally be signed first and then the signed JWT should be encrypted. This prevents an attacker from stripping off the signature and replacing it with their own signature.

When a JWT may be exposed to multiple audiences, it is especially important to use the "aud" (audience) claim to restrict the intended recipients of the JWT.

---