they technically don't need to begin like that! JWT is JSON and is therefore infamously vague... but in practice they for some reason always begin with "alg" so always like eyJhbG

Has anyone tried to send a JWT token with the fields in a different order (e.g. a long key first and key ID and algorithm behind) and see how many implementations will break?

there are better things to do, like send json that has "alg" twice, each different (one of them "none" ideally) and different implementations handle it differently

I didn't even realize I knew that string, but I recognized it immediately from your post.