A correct JWT verifier does eight things. Most production verifiers I have read do four or five of them. The other three or four get skipped because the library defaults aren't loud about them, the docs gloss over them, or someone copied a "it works" snippet from Stack Overflow circa 2018. Here is the full eight-check list, what each one prevents, and what it looks like to implement them with structured error codes — the kind that survive a midnight 401 incident with a clear remediation path. 1. Signature Verify the cryptographic signature against a public key from the issuer's JWKS endpoint, scoped to the kid (key id) in the JWT header. Fails if: signature is forged, key has been rotated and your cache is stale, or the JWKS endpoint is unreachable. The bug class is anything that lets a token through without signature verification — the alg=none family, or libraries that accept the token's own alg claim instead of an explicit allowlist. Failure code: SIGNATURE_INVALID or KID_NOT_FOUND . 2.…