Repoyattacks of jwt

  jwt

The JWT spec provides the jti field as a way to prevent replay attacks. That being said tokens return by Auth0 currently (we are thinking abut adding i t in the future) don’t return a jti, but basically you would just blacklist the jti to prevent a token being used more than X times (X being 1 in your case) . You are kind of implementing a nonce (think of the token’s signature as the nonce).

The token is placed in the header of https so as not to be stolen.