diff --git a/README.md b/README.md
index 337ba4e..77ceec4 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,7 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
   - [DNS Rebinding](#dns-rebinding)
   - [Deserialization](#deserialization)
   - [OAuth](#oauth)
+  - [JWT](#jwt)  
 - [Evasions](#evasions)
   - [XXE](#evasions-xxe)
   - [CSP](#evasions-csp)
@@ -350,6 +351,10 @@ If you enjoy this awesome list and would like to support it, check out my [Patre
 - [Introduction to OAuth 2.0 and OpenID Connect](https://pragmaticwebsecurity.com/courses/introduction-oauth-oidc.html) - Written by [@PhilippeDeRyck](https://twitter.com/PhilippeDeRyck).
 - [What is going on with OAuth 2.0? And why you should not use it for authentication.](https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611) - Written by [@damianrusinek](https://medium.com/@damianrusinek).
 
+<a name="jwt"></a>
+### JWT
+- [Hardcoded secrets, unverified tokens, and other common JWT mistakes](https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/) - Written by [@ermil0v](https://twitter.com/ermil0v).
+
 ## Evasions
 
 <a name="evasions-xxe"></a>