Findings

Non-standard JSON Web Token

Updated: June 19, 2025

findings design based findings api finding

Description

An endpoint is using JSON Web Tokens (JWT) that do not adhere to best current practices detailed in RFC8725. JSON Web Tokens RFC7519 defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWT can be enclosed in encrypted or signed tokens like JSON Web Signature (JWS) and JSON Web Encryption (JWE). The [JOSE IANA registry](https://www.iana.org/assignments/jose/jose.xhtml) provides algorithms information. RFC8725 best practices describe common pitfalls in the JWx specifications and in their implementations. An API using JWT should be explicit in the description that the implementation conforms to RFC8725.

Remediation

Bring the JWT used in the endpoint in line with RCF8725.

Security Frameworks

OWASP API 2023

API2:2023 Broken Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall.

OWASP API 2019

API2:2019 Broken User Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising the system's ability to identify the client or user, compromises API security overall.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
Missing retry header
Next (Findings - Design based findings)
Numeric ID