none
: this algorithm is not a real algorithm. It should only be used when other security means exist. An encrypted connection is certainly not enough!RSA1_5
: there are known attacks using this algorithm. If you can avoid its use, then do it.123456789
. You should use at least 256 bits symmetric keys and at lease 2048 bits RSA keys.kid
: A unique key ID,use
: indicates the usage of the key. Either sig
(signature/verification) or enc
(encryption/decryption). alg
: the algorithm allowed to be used with this key.iss
and aud
should be duplicated into the header. This will avoid unwanted decryption when tokens are sent to a wrong audience.jti
.exp
: expiration time,iat
: issuance time,nbf
: validity point in time.iss
(issuer) and aud
(audience) should always be set. When duplicated in the header, their values MUST be identical.alg
(algorithm) and enc
(only for JWE) parameters. The crit
(critical) header parameter is always checked.exp
, iat
, nbf
, iss
and aud
claims. Application specific claims should also always checked.