Anthropic-Cybersecurity-Skills/skills/testing-jwt-token-security/references/api-reference.md

API Reference: Testing JWT Token Security

PyJWT Library

Installation

pip install PyJWT

Encoding (Creating Tokens)

import jwt
token = jwt.encode(payload, secret, algorithm="HS256")

Decoding

# Without verification (for analysis)
payload = jwt.decode(token, options={"verify_signature": False})

# With verification
payload = jwt.decode(token, secret, algorithms=["HS256"])

Supported Algorithms

Algorithm	Type	Description
HS256	HMAC	SHA-256 symmetric signing
HS384	HMAC	SHA-384 symmetric signing
HS512	HMAC	SHA-512 symmetric signing
RS256	RSA	SHA-256 asymmetric signing
RS384	RSA	SHA-384 asymmetric signing
ES256	ECDSA	P-256 curve signing

JWT Attack Types

Attack	Description	Severity
Algorithm None	Set alg to "none", remove signature	Critical
Algorithm Confusion	Switch RS256 to HS256, sign with public key	Critical
HMAC Brute Force	Crack weak signing secrets	Critical
JKU Injection	Point JWK Set URL to attacker server	Critical
KID Injection	SQL injection or path traversal in Key ID	Critical
Claim Tampering	Modify role/sub claims after key compromise	High
Expired Token Reuse	Use tokens past expiration	High
No Revocation	Tokens valid after logout/password change	High

JWT Structure

Header.Payload.Signature
base64url({"alg":"HS256","typ":"JWT"}).base64url({"sub":"1","role":"user"}).HMACSHA256(...)

Standard Claims

Claim	Description
iss	Token issuer
sub	Subject (user identifier)
aud	Intended audience
exp	Expiration time (Unix timestamp)
nbf	Not valid before time
iat	Issued at time
jti	Unique token identifier

References

• PyJWT docs: https://pyjwt.readthedocs.io/
• jwt_tool: https://github.com/ticarpi/jwt_tool
• JWT attacks: https://portswigger.net/web-security/jwt
• RFC 7519 (JWT): https://www.rfc-editor.org/rfc/rfc7519