SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits AI LOAD INSTRUCTION : Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass. 1. TOKEN TRIAGE Inspect: - , , , - role, org, tenant, scope, or privilege claims - issuer and audience mismatches - reuse of mobile and web tokens across products 2. QUICK ATTACK PICKS | Pattern | First Test | |---|---| | acceptance | unsigned token with trailing dot | | RS256 confusion | switch to HS256 using publi…