Best Practices

✅ Do

⋙ Always verify JWT with decode() in production.

⋙ Set an expiration time to limit token lifetime, see Set Token Expiration.

⋙ Use appropriate keys for a specific algorithm, see Generate Keys.

⋙ Validate your claims by using JWT Pydantic models, see Custom Validation.

⋙ Handle SuperJWT exceptions in your code to catch tampering attempts or claims alignment issues, see Error Handling.

⋙ Keep secrets secure by storing them in secret management systems / environment variables.

---

❌ Don't

⋙ Don't store sensitive data in a JWT/JWS. Since tokens are not encrypted, their content can be read by anyone.

⋙ Don't share or reuse secret keys across environments.

⋙ Never use data from inspect() in production as it bypasses signature verification.

⋙ Never trust client-provided tokens until signature verification is done.