SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits

AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.

1. TOKEN TRIAGE

Inspect:

• alg, kid, jku, x5u
• role, org, tenant, scope, or privilege claims
• issuer and audience mismatches
• reuse of mobile and web tokens across products

2. QUICK ATTACK PICKS