Applications decoding a JSON Web Token (JWT) may be vulnerable when the key isn't verified in the process.

Set the verify argument to True or use a framework that does it by default.

This example shows a PyJWT encoding call with the verify argument set to False.

  • PyJWT: Documentation.
  • Authlib JWT: Documentation.
  • Python-Jose: Documentation.
    •