SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits

AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.

1. TOKEN TRIAGE

• alg

  ,

  kid

  ,

  jku

  ,

  x5u

• role, org, tenant, scope, or privilege claims
• issuer and audience mismatches
• reuse of mobile and web tokens across products

2. QUICK ATTACK PICKS

alg:none

kid

kid

jku

x5u

3. HIDDEN FIELDS AND BATCH ABUSE

Mass assignment field picks

role
isAdmin
admin
verified
plan
tier
permissions
org
owner

Rate limit and batch abuse picks

X-Forwarded-For: 1.2.3.4
X-Real-IP: 5.6.7.8
Forwarded: for=9.9.9.9

• arrays of login mutations
• bulk object fetches with varying IDs
• repeated password reset or verification calls in one request

4. RATE LIMIT BYPASS FAMILIES

X-Forwarded-For
X-Real-IP
Forwarded
User-Agent rotation
Path case / slash variants

5. NEXT ROUTING

• For GraphQL batching and hidden parameters: graphql and hidden parameters
• For default credential and brute-force planning: authentication bypass
• For full JWT and OAuth depth: jwt oauth token attacks
• For OAuth or OIDC configuration flaws in browser and SSO flows: oauth oidc misconfiguration
• For credentialed browser reads and origin trust bugs: cors cross origin misconfiguration