Expected Findings
- `alg=none` and HMAC algorithms are rejected.
- `kid` is matched against an explicit set of public keys.
- JWKS endpoint exposes only public keys.
Clean Reference
ref-jwt (Clean Reference)
Reference JWT verifier with RS256, an explicit `kid` allow-list, and rejection of `alg=none` and `alg=HS256`. Any finding here is a false positive.
Reference probe
Primary Flows
- Verify (rejects none) POST alg=none, returns 400
- JWKS Public keys only
- Verifier policy Allowed algorithms
Signals
Policy
allowed_algs = ["RS256"]; allowed_kids = {"prod-2026-q1","prod-2026-q2"}
Notes
- This scenario is a true-negative control.