Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
2 posts ← reset filters

A new client-side JWT decoder catches subtle token flaws that jwt.io ignores. But securing JWTs is still a server-side problem. Here's the full picture from someone who's exploited these bugs in production.
JWTs are meant to be opaque to users. They're not. Here's what I learn about your architecture just by decoding one.