JWT

APIs frequently validate only that a token is present rather than performing full server-side validation of signature, issuer, audience, expiry, and required scopes, leaving the system vulnerable to forged or expired tokens.

Developers often attempt to store self-encoded OAuth 2.0 tokens (JWTs) in cookies, but token size can exceed browser cookie limits. Alternative storage methods (memory, splitting) add implementation complexity.