Tutorials, deep-dives, and privacy-first thinking about developer tools.
Showing 1–7 of 7 posts
Sign a JWT in the browser with HS256 and the Web Crypto API — five lines of JavaScript, no library, no server. The 2026 walkthrough.
When an API returns 401 Unauthorized in 2026, the JWT is usually the smoking gun. Decode the token, read exp, aud, iss — and fix the bug in 90 seconds.
The JWT alg: none vulnerability lets attackers forge tokens without a secret. Here's how the exploit works and why libraries still trip on it in 2026.
HS256 vs RS256 is the first decision when issuing a JWT — symmetric speed vs asymmetric key separation. Here's how to pick the right algorithm in 2026.
Every JWT carries the same standard claims — iss, sub, aud, exp, iat, nbf, jti. Here's what each one means, RFC 7519 references, and the bugs they cause.
Decode a JWT in 2026 with real Auth0 and Firebase tokens — header, payload, signature explained, common debugging traps, and why pasting tokens online is risky.
Base64 explained with 10 working examples — encode and decode in the browser, terminal, JavaScript, Python, and JWTs. Includes URL-safe variant and the `==` padding rule.