none: this algorithm is not a real algorithm. It should only be used when other security means exist. An encrypted connection is certainly not enough!
RSA1_5: there are known attacks using this algorithm. If you can avoid its use, then do it.
123456789. You should use at least 256 bits symmetric keys and at lease 2048 bits RSA keys.
kid: A unique key ID,
use: indicates the usage of the key. Either
alg: the algorithm allowed to be used with this key.
audshould be duplicated into the header. This will avoid unwanted decryption when tokens are sent to a wrong audience.
exp: expiration time,
iat: issuance time,
nbf: validity point in time.
aud(audience) should always be set. When duplicated in the header, their values MUST be identical.
enc(only for JWE) parameters. The
crit(critical) header parameter is always checked.
audclaims. Application specific claims should also always checked.