Skill

implementing-jwt-signing-and-verification

From asi

Implements secure JWT signing with HS256, RS256, ES256, EdDSA and verification in Python, including expiration, claims validation, key rotation, and defenses against algorithm confusion, none alg, key injection.

Python

JWT

security

authentication

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256, RSA-PSS, and EdDSA algorithms, along with verification, token expiration, claims validation, and defense against common JWT attacks (algorithm confusion, none algorithm, key injection).

SKILL.md

Similar Skills

implementing-jwt-signing-and-verification

5.9k

Implements secure JWT signing with HS256, RS256, ES256, EdDSA; verifies signatures, claims, expiration; defends against algorithm confusion, none alg, key injection attacks.

7 files

cybersecurity-skills

implementing-jwt-signing-and-verification

Implements secure JWT signing using HMAC-SHA256, RSA-PSS, EdDSA and verification with expiration, claims checks, JWK rotation, and defenses against algorithm confusion, none alg, key injection. Useful for web auth.

7 files

cybersecurity-skills-zh

jwt-attacks

Audits JWT implementations for vulnerabilities like algorithm confusion, none alg bypass, weak secrets, JWK injection, and kid attacks in JS/TS/Python/Go code.

3 files

find-cve-agent

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Implementing JWT Signing and Verification

Overview

When to Use

When deploying or configuring implementing jwt signing and verification capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Familiarity with cryptography concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Implement JWT signing with HS256, RS256, ES256, and EdDSA
Verify JWT signatures and validate standard claims
Implement token expiration, not-before, and audience validation
Defend against algorithm confusion and none algorithm attacks
Implement JWT key rotation with JWK Sets
Build a complete authentication middleware

Key Concepts

JWT Algorithms

Algorithm	Type	Key	Security Level
HS256	Symmetric (HMAC)	Shared secret	128-bit
RS256	Asymmetric (RSA)	RSA key pair	112-bit
ES256	Asymmetric (ECDSA)	P-256 key pair	128-bit
EdDSA	Asymmetric (Ed25519)	Ed25519 pair	128-bit

Common JWT Attacks

Algorithm confusion: Switching from RS256 to HS256, using public key as HMAC secret
None algorithm: Setting alg=none to bypass signature verification
Key injection: Embedding key in JWK header
Weak secrets: Brute-forcing short HMAC secrets
Token replay: Reusing valid tokens without expiration

Security Considerations

Always validate the algorithm header against an allowlist
Never accept alg=none in production
Use asymmetric algorithms (RS256, ES256) for distributed systems
Set short expiration times (15 min for access tokens)
Implement token refresh mechanism
Store secrets securely (not in source code)

Validation Criteria

JWT signing produces valid tokens for all algorithms
Signature verification rejects tampered tokens
Expired tokens are rejected
Algorithm confusion attack is prevented
None algorithm is rejected
JWK key rotation works correctly
Claims validation enforces all required claims