they technically don't need to begin like that! JWT is JSON and is therefore infamously vague... but in practice they for some reason always begin with "alg" so always like eyJhbG

▲

xg15 7 days ago | parent [-]

Has anyone tried to send a JWT token with the fields in a different order (e.g. a long key first and key ID and algorithm behind) and see how many implementations will break?

	▲	karel-3d 7 days ago \| parent [-]
		there are better things to do, like send json that has "alg" twice, each different (one of them "none" ideally) and different implementations handle it differently