L The IntegrAuth Lab

← All practicals

P5

Read your own token

Issue a real ES256 JWT, then tamper with it and watch verification fail.

  1. 1

    Issue a 5-minute demo token for your session.

    It’s a hand-rolled ES256 JWS signed by the Lab’s key; the kid is its RFC 7638 thumbprint, discoverable at /.well-known/jwks.json.

  2. 2

    Change one character of the payload and re-verify.

    The signature no longer covers the bytes, so verification returns bad_signature — that’s exactly what stops an attacker editing “sub” or “aud”.

  3. 3

    Let it expire (or check aud) and verify again.

    exp and aud are checked against the active public key — the same validation a real resource server must do.

Do it

The public key is served at /.well-known/jwks.json (also /api/jwks).

🩻 X-ray — what actually happened

Your own insert-only audit trail — the real server events, sanitized (never a secret), each linked to the lesson that explains it.

Loading…