== How to fix it in Auth0 JWT

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,java,diff-id=1,diff-type=noncompliant]
----
import com.auth0.jwt.JWT;

public void encode() {
    JWT.create()
        .withSubject(SUBJECT)
        .sign(Algorithm.none()); // Noncompliant
}
----

[source,java,diff-id=2,diff-type=noncompliant]
----
import com.auth0.jwt.JWT;

public void decode() {
    JWTVerifier verifier = JWT.require(Algorithm.none()) // Noncompliant
        .withSubject(LOGIN)
        .build();
}
----

==== Compliant solution

[source,java,diff-id=1,diff-type=compliant]
----
import com.auth0.jwt.JWT;

public void encode() {
    JWT.create()
        .withSubject(SUBJECT)
        .sign(Algorithm.HMAC256(SECRET_KEY));
}
----

[source,java,diff-id=2,diff-type=compliant]
----
import com.auth0.jwt.JWT;

public void decode() {
    JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET_KEY))
        .withSubject(LOGIN)
        .build();
}
----

=== How does this work?

include::../../common/fix/encode.adoc[]

include::../../common/fix/decode.adoc[]

=== Going the extra mile

include::../../common/extra-mile/key-storage.adoc[]

include::../../common/extra-mile/key-rotation.adoc[]