JWT key confusion (alg) TL;DR: Switching alg from RS256 to HS256 makes the public key the HMAC secret. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://portswigger.net/web-security/jwt/algorithm-confusion