New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
Analyze JSON Web Tokens for weak algorithms, key exposure, and implementation flaws.
Overview
JSON Web Tokens (JWT) are widely used for authentication but frequently misconfigured. Our scanner checks for weak signing algorithms (none, HS256 with weak keys), token expiration settings, sensitive data in payloads, and algorithm confusion vulnerabilities.
What this scanner does
Intercepts JWTs from cookies and headers, analyzes the header for algorithm choice, checks payload for sensitive data exposure, verifies expiration claims, and tests for algorithm confusion (RS256→HS256) and none-algorithm bypass.
Why it matters
A weak JWT implementation can let attackers forge tokens and impersonate any user. The "none" algorithm bypass and algorithm confusion attacks have compromised countless applications. Sensitive data in JWT payloads is visible to anyone who base64-decodes the token.
Common findings
OWASP Top 10 coverage
Get a full security report with AI-powered fix suggestions in 30 seconds. No setup required.
Related checks
Vulnerability Detection
Test your login, signup, and password reset flows for common security weaknesses.
Configuration Audit
Audit cookie flags, session management, and token security for your application.
Vulnerability Detection
Detect exposed API keys, tokens, and secrets in your frontend code and responses.
