Are You Sure Your Access Tokens Are Really Secure?
March 3, 2026
10 EST / 16:00 CET / 15:00 UTC
Overview:
So you've read about OAuth 2.0. You're committed to best practices. Now you've decided to secure your web API using JWT access tokens. Most likely, you're relying on an open-source library to parse and validate these tokens. You're even confident that your configuration will only accept tokens from your trusted issuer or token service. But doubt is creeping in. How can you be certain that your API only accepts access tokens issued by your service?
JSON Web Tokens (JWTs) are the industry standard for API security, but common misconfigurations often leave applications vulnerable to sophisticated exploits. This session explores critical pitfalls in token validation and how to choose the most secure architecture for your specific needs.
What you'll learn:
In this session, you'll learn critical vulnerabilities of JWTs, discover how to automate security testing, and evaluate the strategic trade-offs between JWTs and opaque tokens.
Wesley will demonstrate some tricks that can bypass improperly configured token validation. He'll demo how easy it is to fool your API if you're not careful. Finally, he'll walk through how to write tests that ensure your application is protected against these exploits, keeping your data and users safe.
Speaker:
Wesley Cabus is a Customer Success Engineer at Duende Software, assisting developers with issues, documenting common problems, and teaching about security and identity. He is a board member at VISUG, the Belgian Visual Studio User Group, and delivers sessions in the local user group community and at conferences around the globe. Wesley is also a Microsoft MVP.