Anthropic-Cybersecurity-Skills implementing-jwt-signing-and-verification
JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization
install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/implementing-jwt-signing-and-verification" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-implementing-jwt-signing-and-verificatio && rm -rf "$T"
manifest:
skills/implementing-jwt-signing-and-verification/SKILL.mdsource content
Implementing JWT Signing and Verification
Overview
JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256, RSA-PSS, and EdDSA algorithms, along with verification, token expiration, claims validation, and defense against common JWT attacks (algorithm confusion, none algorithm, key injection).
When to Use
- When deploying or configuring implementing jwt signing and verification capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with cryptography concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Objectives
- Implement JWT signing with HS256, RS256, ES256, and EdDSA
- Verify JWT signatures and validate standard claims
- Implement token expiration, not-before, and audience validation
- Defend against algorithm confusion and none algorithm attacks
- Implement JWT key rotation with JWK Sets
- Build a complete authentication middleware
Key Concepts
JWT Algorithms
| Algorithm | Type | Key | Security Level |
|---|---|---|---|
| HS256 | Symmetric (HMAC) | Shared secret | 128-bit |
| RS256 | Asymmetric (RSA) | RSA key pair | 112-bit |
| ES256 | Asymmetric (ECDSA) | P-256 key pair | 128-bit |
| EdDSA | Asymmetric (Ed25519) | Ed25519 pair | 128-bit |
Common JWT Attacks
- Algorithm confusion: Switching from RS256 to HS256, using public key as HMAC secret
- None algorithm: Setting alg=none to bypass signature verification
- Key injection: Embedding key in JWK header
- Weak secrets: Brute-forcing short HMAC secrets
- Token replay: Reusing valid tokens without expiration
Security Considerations
- Always validate the algorithm header against an allowlist
- Never accept alg=none in production
- Use asymmetric algorithms (RS256, ES256) for distributed systems
- Set short expiration times (15 min for access tokens)
- Implement token refresh mechanism
- Store secrets securely (not in source code)
Validation Criteria
- JWT signing produces valid tokens for all algorithms
- Signature verification rejects tampered tokens
- Expired tokens are rejected
- Algorithm confusion attack is prevented
- None algorithm is rejected
- JWK key rotation works correctly
- Claims validation enforces all required claims