api-auth-and-jwt-abuse
API authentication and JWT abuse playbook. Use when testing bearer tokens, API keys, claim trust, header spoofing, rate limits, and API auth boundary weaknesses.
How do I install this agent skill?
npx skills add https://github.com/yaklang/hack-skills --skill api-auth-and-jwt-abuseIs this agent skill safe to install?
- Gen Agent Trust Hubpass
The skill is a security testing playbook for API authentication and JWT abuse. It provides reference patterns for testing vulnerabilities like weak signatures, header spoofing, and rate limit bypasses. The skill is purely instructional and contains no malicious code or unsafe operations.
- Socketwarn
1 alert: gptSecurity
- Snykfail
Risk: CRITICAL · 1 issue
- ZeroLeakspass
Score: 93/100 · 2 sections analyzed
What does this agent skill do?
SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits
AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.
1. TOKEN TRIAGE
Inspect:
alg,kid,jku,x5u- role, org, tenant, scope, or privilege claims
- issuer and audience mismatches
- reuse of mobile and web tokens across products
2. QUICK ATTACK PICKS
| Pattern | First Test |
|---|---|
alg:none acceptance | unsigned token with trailing dot |
| RS256 confusion | switch to HS256 using public key as secret |
kid lookup trust | path traversal or injection in kid |
| remote key fetch trust | attacker-controlled jku or x5u |
| weak secret | offline crack with targeted wordlists |
3. HIDDEN FIELDS AND BATCH ABUSE
Mass assignment field picks
role
isAdmin
admin
verified
plan
tier
permissions
org
owner
Rate limit and batch abuse picks
X-Forwarded-For: 1.2.3.4
X-Real-IP: 5.6.7.8
Forwarded: for=9.9.9.9
GraphQL or JSON batch abuse candidates:
- arrays of login mutations
- bulk object fetches with varying IDs
- repeated password reset or verification calls in one request
4. RATE LIMIT BYPASS FAMILIES
X-Forwarded-For
X-Real-IP
Forwarded
User-Agent rotation
Path case / slash variants
5. NEXT ROUTING
- For GraphQL batching and hidden parameters: graphql and hidden parameters
- For default credential and brute-force planning: authentication bypass
- For full JWT and OAuth depth: jwt oauth token attacks
- For OAuth or OIDC configuration flaws in browser and SSO flows: oauth oidc misconfiguration
- For credentialed browser reads and origin trust bugs: cors cross origin misconfiguration
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/yaklang/hack-skills/api-auth-and-jwt-abuse">View api-auth-and-jwt-abuse on skillZs</a>