Auth regression tests for CI/CD

Catch silent
JWT bugs
before prod.

CI auth regression tests + JWKS rotation drift detection. Add 5 lines to your workflow.

GitHub Actions workflow

# .github/workflows/jwt.yml
- uses: redbullhorns/jwtshield-ci@v1
  with:
    issuer:           https://login.example.com
    audience:         api://backend
    fail-on-severity: high

Get an API key Decode a token live

Synthetic-token tests

Zero token retention

OpenAPI 3.1 spec

Audit-trail evidence

jwtshield inspect · /v1/inspect/tokenlive

$jwtshield inspect --token eyJhbGciOiJSUzI1NiIsInR5…

enter to decode · sample loaded

// awaiting first response · /v1/inspect/token

// METRIC 01

OIDC presets shipped

Auth0, Okta, Cognito, GitHub Actions, GitLab — drop-in policy templates with JWKS already wired.

// METRIC 02

24 ⁺

Documented refusal codes

Every refusal named, documented in /docs/errors, and stable across versions.

// METRIC 03

Tokens stored

We hash for the audit trail and discard the bearer. Always.

// METRIC 04

Verification endpoints

Inspect, validate, regression suite, OIDC discovery, lint, rotation, presets, health.

// FEATURE 01 · JWKS

Rotate keys without praying.

/v1/validate/jwks-rotation classifies key rotation between two snapshots as no_change, safe_overlap, overlap, or disjoint. Catch the rotation before in-flight tokens start failing.

Per-issuer JWKS cache with single-flight refresh.
Refuse on rollback — a removed kid never silently returns.
Optional sample-token verification across the rotation boundary.

// /v1/validate/jwks-rotation cache age 47s

kid auth0-2026-04 RS256

kid auth0-2026-03 RS256 · standby

kid auth0-2026-02 retiring · 7d

kid auth0-2026-01 retired · evidence-only

last rotation 4d ago healthy

// FEATURE 02 · CI

Catch the auth bug in the pull request.

/v1/test/auth-regression runs your fixture suite on every PR. Scope renames, claim drops, audience changes — caught before they reach staging. Negative fixtures assert that broken tokens stay broken.

Native examples for GitHub Actions, GitLab CI, and curl.
Negative-test fixtures with expected_failure_codes.
Aggregate suite status with per-check VerifyResult.

// jwtshield ci replay feat/scope-rename

✓ verify · read:invoices 9ms

✓ verify · write:billing 11ms

✕ verify · read:invoices_v2 — scope renamed without alias 12ms

✓ verify · read:reports 10ms

✓ verify · admin:users 13ms

4 of 5 passed 1 regression

// FEATURE 03 · THREAT COVERAGE

Every published JWT attack — refused at the boundary.

We track every disclosure, every CVE, every attack pattern. Default policy refuses all of them. Each refusal lands as a structured finding with a stable code — see /docs/errors for the full taxonomy.

CVE / Source Attack Refusal code Algorithms Status

CVE-2015-9235 Algorithm: none Token claims its own algorithm is "none" ALG_NONE all closed

CVE-2016-10555 Key confusion HMAC verifier handed a public RSA key ALGORITHM_INVALID HS · RS closed

JWS spec Embedded jwk trust Header-supplied jwk overrides the configured key set JKU_PRESENT all closed

RFC 7519 Audience drift Token aud doesn't match the configured allow-list AUDIENCE_MISMATCH all closed

RFC 7519 Issuer drift Token iss doesn't match the configured issuer ISSUER_MISMATCH all closed

JWKS kid rollback Removed key reappears in JWKS — provider compromise signal NO_KEY_OVERLAP all closed

Clock Skew abuse Tokens issued past expiry or before nbf TOKEN_EXPIRED all closed

Claims Required claim missing Policy requires sub/scope/custom claim that token omits REQUIRED_CLAIM_MISSING all closed

// SECTION 04 · INSTALL

Three minutes from curl to verified token.

No SDK to audit. No JWKS rotation to babysit. One HTTP call to /v1/inspect/token for decode, one to /v1/validate/jwt for full validation.

inspect_token.sh

# Inspect any JWT. Issue your API key at jwtshield.com/dashboard.
$ export JWTSHIELD_URL=https://api.jwtshield.com
$ export JWTSHIELD_API_KEY=jws_live_...
$ curl -sSf -X POST "$JWTSHIELD_URL/v1/inspect/token" \
    -H "Authorization: Bearer $JWTSHIELD_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{"token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c3JfMSJ9.x"}'

inspect_token.js

// 1. Configure once
const BASE_URL = process.env.JWTSHIELD_URL;
const API_KEY = process.env.JWTSHIELD_API_KEY; // jws_live_...

// 2. Decode any JWT, structured response back
const r = await fetch(`${BASE_URL}/v1/inspect/token`, {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${API_KEY}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ token: bearer }),
});
if (!r.ok) throw new Error(`HTTP ${r.status}`);
const { decoded, suspicious_warnings } = await r.json();
console.log(decoded.header, suspicious_warnings);

inspect_token.py

import os, httpx

BASE_URL = os.environ["JWTSHIELD_URL"]
API_KEY = os.environ["JWTSHIELD_API_KEY"]  # jws_live_...

r = httpx.post(
    f"{BASE_URL}/v1/inspect/token",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={"token": bearer},
    timeout=10.0,
)
r.raise_for_status()
body = r.json()
print(body["decoded"]["header"], body["suspicious_warnings"])

§ 09 Coming Tracked · dated · not promised

On the roadmap, not in the box.

JWTShield v0.0.1 ships today. The items below are scoped and dated; until they ship, they are not features of JWTShield. We list them here so the live-state copy elsewhere on the site can be honest.

·01 Q3 2026

SOC 2 · Type II

Auditor engagement scoped. Observation period has not started. Report will be available to Team + Enterprise customers under NDA.

·02 2027

ISO 27001 · HIPAA · GDPR

Sequenced after SOC 2. ISO 27001 first; HIPAA + GDPR attestations follow as procurement demands.

·03 Q4 2026

Multi-region rollout

Second region (us-west) in scoping. Per-issuer region pinning planned. 14-region footprint is a stretch target, not a commitment.

·04 2027

Dedicated region · on-prem image

Enterprise tier. License-bound JWKS cache + customer-pinned evidence pipeline. Same container we run, your hardware.

·05 Q4 2026

SLA contract · 99.99%

Prerequisite: 90 days of clean uptime data on /v1/health. We will publish the data before we offer the contract.

·06 Q3 2026

SAML SSO · named contact

Enterprise authentication + a single human you can reach in under an hour. Tied to billing, not seat count.

Track ship dates at /changelog · RSS