Read your own token
Issue a real ES256 JWT, then tamper with it and watch verification fail.
- 1
Issue a 5-minute demo token for your session.
It’s a hand-rolled ES256 JWS signed by the Lab’s key; the kid is its RFC 7638 thumbprint, discoverable at /.well-known/jwks.json.
- 2
Change one character of the payload and re-verify.
The signature no longer covers the bytes, so verification returns bad_signature — that’s exactly what stops an attacker editing “sub” or “aud”.
- 3
Let it expire (or check aud) and verify again.
exp and aud are checked against the active public key — the same validation a real resource server must do.
Do it
The public key is served at /.well-known/jwks.json (also /api/jwks).
Learn the theory
🩻 X-ray — what actually happened
Your own insert-only audit trail — the real server events, sanitized (never a secret), each linked to the lesson that explains it.
Loading…