ctf VS paseto

Audio can contain dial tones, or it can contain binary/morse code on some particular frequency, or it's not really "audio" but radio-transmission which needs to be decoded, or the audio can contain sounds of keyboard typing or even 3d printer head moving (like https://github.com/p4-team/ctf/tree/master/2020-05-10-spam-and-flags-teaser/3d_printer ), or maybe audio has multiple sources interleaved and you need to separate them and one has the flag, or maybe the audio file itself has specific format and some information can be passed there. There are infinite possibilities and it's impossible to say anything without analysing the file.

It's hard to say anything without actually seeing the page. Was there something inside the CSS files? You can do some crazy stuff there :) You can also do some fancy stuff like bypassing CSRF with CSS injection like in: https://github.com/p4-team/ctf/tree/master/2018-01-20-insomnihack/web_css

One thing that immediately comes into mind is that archives are "weird", and an archive file can be also a totally different type of file at the same time. Just to clarify what I mean see: https://github.com/p4-team/ctf/blob/master/2016-04-15-plaid-ctf/web_pixelshop/README.md and specifically the magic file https://github.com/p4-team/ctf/blob/master/2016-04-15-plaid-ctf/web_pixelshop/exploit.png this is totally valid PNG file but at the same time it's also totally valid ZIP file with PHP shell inside.

Funny part is that even in CTF challenges made around this problem challenge authors were introducing some intentional bugs to account for this scenario, because they thought it would be too unrealistic otherwise :D See for example: https://github.com/p4-team/ctf/tree/master/2018-12-08-hxp/crypto_uff

See: https://github.com/p4-team/ctf/tree/master/2016-03-12-0ctf/peoples_square and also https://github.com/TFNS/writeups/tree/master/2020-06-05-DefenitCTF/spn (this one is not AES but some toy SPN, but the idea is exactly the same and maybe easier to understand)

If it's some serious interesting cryptography (just to give you an example: https://github.com/p4-team/ctf/tree/master/2019-11-02-google-ctf/fractorization ), then perhaps consider talking to some CTF team to feature your challenge during an upcoming CTF

Also what you need doesn't require that much code, it's very similar to: https://github.com/p4-team/ctf/tree/master/2017-09-02-tokyo/crypto_rsa

Might I suggest Paseto (https://paseto.io/) - it solves a lot of the headaches of JWT. Signing and encryption are two different things that require two different sets of keys, so you can't mess it up.

(Full disclosure, I've written one implementation: https://github.com/auth70/paseto-ts)

Though we'll be building a session-based authentication system, it's noteworthy that with the introduction of some concepts which will be discussed in due time, you can turn it into JWT- or, more securely and appropriately, PASETO-based authentication system.

Time we ditch it and use paseto

The PASETO web site goes over it. Mostly it's designed to make you do things the right way and avoid all the security holes you can fall into with JWT.

If this is too much to handle, you shouldn't have to! There's already solutions that handle it for you