Despite its popularity JWT has been the subject of intense criticism that has been substantiated/amplified by a steady stream of public vulnerabilities in libraries and deployments. There have been legitimate security problems with JWT usage, many of which can be attributed directly to fundamental flaws in the specification itself that allowed or encouraged such mistakes. But is JWT irredeemably flawed? This session will endeavor to take a hard look at that very question with a review/overview of JWT fundamentals and a pragmatic look a the most common and/or biting criticisms and associated real-world vulnerabilities.