Find the JWT vulnerability

Identify what's wrong with a JWT — alg=none, expired, aud mismatch, RS↔HS confusion, and more.