Api Auth And Jwt Abuse
Authorized API pentest checklist for JWT, bearer tokens, API keys, header spoofing, and rate-limit gaps before you ship auth-heavy backends.
Overview
api-auth-and-jwt-abuse is an agent skill for the Ship phase that guides authorized testing of JWT trust, API keys, header spoofing, and rate-limit weaknesses.
Install
npx skills add https://github.com/yaklang/hack-skills --skill api-auth-and-jwt-abuseWhat is this skill?
- Token triage for alg, kid, jku, x5u, and privilege claims
- Quick attack matrix including alg:none, RS256 confusion, and kid injection
- Mass-assignment field picks for role and admin flags
- Rate-limit bypass candidates via X-Forwarded-For and Forwarded headers
- GraphQL and JSON batch abuse scenarios for login and bulk fetch
- Quick attack picks table covering alg:none, RS256 confusion, kid trust, jku/x5u, and weak secret cracking
- Documented mass-assignment and rate-limit header field pick lists
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your API accepts tokens and keys but you have no systematic checklist for claim trust, algorithm confusion, or batch rate-limit bypass.
Who is it for?
Indie API owners running staged pentests or agent-assisted reviews on JWT-backed services they control.
Skip if: Builders without authorization to test targets, frontend-only apps with no auth surface, or production scanning without a defined scope and rollback plan.
When should I use this skill?
Testing bearer tokens, API keys, claim trust, header spoofing, rate limits, and API auth boundary weaknesses on authorized targets.
What do I get? / Deliverables
You get a prioritized test sequence and field lists to document auth boundary flaws and harden issuer, audience, and rate-limit handling before launch.
- Documented repro steps for auth and rate-limit findings
- Prioritized fix list for token validation and claim enforcement
Recommended Skills
Journey fit
How it compares
Focused JWT and API-auth abuse playbook, not a full DAST scanner or compliance certification template.
Common Questions / FAQ
Who is api-auth-and-jwt-abuse for?
Solo builders and small teams with explicit permission to test their own or client APIs who want agent-guided JWT and API-key abuse coverage during ship security work.
When should I use api-auth-and-jwt-abuse?
Use when testing bearer tokens, API keys, claim trust, header spoofing, rate limits, and API auth boundary weaknesses on staging or in-scope bug bounty programs before grow and operate traffic spikes.
Is api-auth-and-jwt-abuse safe to install?
The skill describes offensive test patterns; misuse against systems you do not own is illegal—review the Security Audits panel on this page and restrict agents to authorized environments only.
SKILL.md
READMESKILL.md - Api Auth And Jwt Abuse
# SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits > **AI LOAD INSTRUCTION**: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass. ## 1. TOKEN TRIAGE Inspect: - `alg`, `kid`, `jku`, `x5u` - role, org, tenant, scope, or privilege claims - issuer and audience mismatches - reuse of mobile and web tokens across products ## 2. QUICK ATTACK PICKS | Pattern | First Test | |---|---| | `alg:none` acceptance | unsigned token with trailing dot | | RS256 confusion | switch to HS256 using public key as secret | | `kid` lookup trust | path traversal or injection in `kid` | | remote key fetch trust | attacker-controlled `jku` or `x5u` | | weak secret | offline crack with targeted wordlists | ## 3. HIDDEN FIELDS AND BATCH ABUSE ### Mass assignment field picks ```text role isAdmin admin verified plan tier permissions org owner ``` ### Rate limit and batch abuse picks ```text X-Forwarded-For: 1.2.3.4 X-Real-IP: 5.6.7.8 Forwarded: for=9.9.9.9 ``` GraphQL or JSON batch abuse candidates: - arrays of login mutations - bulk object fetches with varying IDs - repeated password reset or verification calls in one request ## 4. RATE LIMIT BYPASS FAMILIES ```text X-Forwarded-For X-Real-IP Forwarded User-Agent rotation Path case / slash variants ``` ## 5. NEXT ROUTING - For GraphQL batching and hidden parameters: [graphql and hidden parameters](../graphql-and-hidden-parameters/SKILL.md) - For default credential and brute-force planning: [authentication bypass](../authbypass-authentication-flaws/SKILL.md) - For full JWT and OAuth depth: [jwt oauth token attacks](../jwt-oauth-token-attacks/SKILL.md) - For OAuth or OIDC configuration flaws in browser and SSO flows: [oauth oidc misconfiguration](../oauth-oidc-misconfiguration/SKILL.md) - For credentialed browser reads and origin trust bugs: [cors cross origin misconfiguration](../cors-cross-origin-misconfiguration/SKILL.md)