Skill

implementing-jwt-signing-and-verification

Implements secure JWT signing with HS256, RS256, ES256, EdDSA; verifies signatures, claims, expiration; defends against algorithm confusion, none alg, key injection attacks.

Python

JWT

security

authentication

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256, RSA-PSS, and EdDSA algorithms, along with verification, token expiration, claims validation, and defense against common JWT attacks (algorithm confusion, none algorithm, key injection).

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Implementing JWT Signing and Verification

Overview

When to Use

When deploying or configuring implementing jwt signing and verification capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Familiarity with cryptography concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Implement JWT signing with HS256, RS256, ES256, and EdDSA
Verify JWT signatures and validate standard claims
Implement token expiration, not-before, and audience validation
Defend against algorithm confusion and none algorithm attacks
Implement JWT key rotation with JWK Sets
Build a complete authentication middleware

Key Concepts

JWT Algorithms

Algorithm	Type	Key	Security Level
HS256	Symmetric (HMAC)	Shared secret	128-bit
RS256	Asymmetric (RSA)	RSA key pair	112-bit
ES256	Asymmetric (ECDSA)	P-256 key pair	128-bit
EdDSA	Asymmetric (Ed25519)	Ed25519 pair	128-bit

Common JWT Attacks

Algorithm confusion: Switching from RS256 to HS256, using public key as HMAC secret
None algorithm: Setting alg=none to bypass signature verification
Key injection: Embedding key in JWK header
Weak secrets: Brute-forcing short HMAC secrets
Token replay: Reusing valid tokens without expiration

Security Considerations

Always validate the algorithm header against an allowlist
Never accept alg=none in production
Use asymmetric algorithms (RS256, ES256) for distributed systems
Set short expiration times (15 min for access tokens)
Implement token refresh mechanism
Store secrets securely (not in source code)

Validation Criteria

JWT signing produces valid tokens for all algorithms
Signature verification rejects tampered tokens
Expired tokens are rejected
Algorithm confusion attack is prevented
None algorithm is rejected
JWK key rotation works correctly
Claims validation enforces all required claims