JWT security guides
Short, practical explainers on common JWT vulnerabilities — what they are, how to test for them, and how to fix them. Each links to the tool so you can try it on a token you are authorized to test.
JWT Algorithm Confusion (RS256 → HS256)
Force a server to verify an RS256 token as HS256 using its public key as the HMAC secret — and how to fix it.
Read guide →The JWT alg:none Attack
Strip the signature and set alg to none to bypass verification — variants, testing, and remediation.
Read guide →JWT kid Header Injection (path traversal, SQLi, command injection)
Turn an unsanitized kid header into path traversal, SQLi, or command injection — including the /dev/null empty-key forgery.
Read guide →How to Verify a JWT (Correctly)
Verify signature and claims the right way: pin the algorithm, check exp/nbf/aud/iss, and avoid the common bypasses.
Read guide →JWT Security Best Practices
A practical checklist: algorithm pinning, short lifetimes, key rotation, claim validation, and safe storage.
Read guide →