Find the JWT vulnerability
Identify what's wrong with a JWT — alg=none, expired, aud mismatch, RS↔HS confusion, and more.
About JWT Heist
JWT Heist presents a JWT token and asks you to identify the security flaw. Every day everyone gets the same challenge so you can compare results. Topics include algorithm confusion, missing claims, replay attacks, key injection, and more.
Why it helps
- Build intuition for the most exploited JWT vulnerabilities in real APIs.
- Learn to spot alg=none, expired tokens, audience mismatches, and key confusion attacks.
- Use the related JWT & OAuth Toolkit to decode and inspect real tokens.
Runs locally in your browser. Progress is stored only in this browser.
What this challenge teaches
Find the JWT vulnerability is a short drill for JWT risk review. You are inspecting a token and need to spot expiry, issuer, audience, algorithm, key-confusion, or unsafe claim issues.
Example reasoning path
- Read the prompt and identify the artifact type before looking at the answer choices.
- Compare the expected target with each candidate result and eliminate options that are only formatting changes.
- Decoding a JWT is not the same as trusting it; signature verification and issuer policy still matter.
After you solve it
Open JWT & OAuth Tools to apply the same skill to your own data. For a broader practice loop, return to Skill Challenges or open Workflow Gallery when the task needs multiple tools.
Challenge state stays local to this browser. Do not paste production secrets into practice prompts.
Practice notes for real projects
Use this page as a warm-up before touching real project data. Read the prompt, write down the signal you are looking for, and only then compare answer choices. That habit carries over to production debugging, where the first visible error is often a symptom rather than the root cause.
After the challenge, recreate the same pattern in the linked tool with a harmless sample. For example, replace real tokens, user identifiers, hostnames, and request bodies with safe values, then verify that the same reasoning still works. This keeps practice useful without exposing private data.
- Save time by checking the smallest artifact that reproduces the issue.
- Write one sentence explaining why the wrong answers fail; that explanation is the skill to reuse later.
- If the challenge involves security, treat decoded or inspected data as untrusted until a separate verification step confirms it.