Too Long; Didn't Read
HMACs and MACs are authentication codes that allow receivers of messages to know who the sender was (authentication) A JWT (when using HMAC as the signing scheme) is basically just an HMAC message where the message data is a JWT object. An HMAC uses two rounds of hashing instead of one (or none) Each round of hashing uses a section of the secret key. We call this a length extension attack. No known extension attacks are known against the current HMAC specification.