A short reference on JSON Web Tokens — the three-part structure, the algorithms that sign them, what they are good for, what they are bad for, and why you should not roll your own auth on top.

A short reference on Cross-Origin Resource Sharing — what counts as a cross-origin request, the simple vs preflight distinction, the headers that matter, and why CORS is a browser-side restriction rather than a server-side one.