About JWT Heist

JWT Heist presents a JWT token and asks you to identify the security flaw. Every day everyone gets the same challenge so you can compare results. Topics include algorithm confusion, missing claims, replay attacks, key injection, and more.

Why it helps

• Build intuition for the most exploited JWT vulnerabilities in real APIs.
• Learn to spot alg=none, expired tokens, audience mismatches, and key confusion attacks.
• Use the related JWT & OAuth Toolkit to decode and inspect real tokens.

Runs locally in your browser. Progress is stored only in this browser.