Test JSON Web Tokens against common vulnerability patterns. All attacks run client-side — no data is sent to any server.
Test JWT security with 5 attack classes: alg:none bypass, kid injection, secret brute-force, algorithm confusion, and key injection.
alg:none on server side — bypasses signature verification → JWT Decoderkid — it can enable path traversal or SQL injectionexp claim and reject expired tokens — missing expiry = permanent access