JWT.

18 production JWTs inspected for algorithm + claims hygiene. 5 use HS256 with secrets shorter than 256 bits. 2 still accept "alg: none" tokens in the verifier path.

A JWT verifier that accepts "alg: none" isn't a verifier.

JW-008 · auth-api · refresh path ALG NONE

Library default left "alg: none" enabled. Accepts unsigned tokens.

Pin verifier to RS256 only, deploy this week, audit auth logs.