Field notes on JWT validation, OIDC config drift, JWKS rotation, and catching auth regressions before they ship to prod.https://jwtshield.com/en-ushttps://jwtshield.com/blog/3-jwt-bugs-that-ship-to-prod-silently/https://jwtshield.com/blog/3-jwt-bugs-that-ship-to-prod-silently/Three concrete failure modes that take down OIDC in production: JWKS rotation without overlap, wrong audience claims, and issuer config drift. Reproduction code, the one HTTP call that catches each, and the 5-line GitHub Actions step that runs the whole regression suite.Sat, 02 May 2026 00:00:00 GMTCI regressionjwtjwksoidcci-cddevsecopsregressiongithub-actionsJWTShield teamhttps://jwtshield.com/blog/alg-none-jwt-vulnerability/https://jwtshield.com/blog/alg-none-jwt-vulnerability/Why the alg=none JWT bug class refuses to die, with working exploit code, the right way to refuse it, and the one HTTP call that catches every variant.Mon, 27 Apr 2026 00:00:00 GMTAttack classjwtjwsattackrfc7515JWTShield teamhttps://jwtshield.com/blog/auth0-jwt-validation-production/https://jwtshield.com/blog/auth0-jwt-validation-production/Auth0's quickstart shows signature verification. Real production needs eight checks. Here is each one, why it exists, and the failure mode it prevents.Mon, 27 Apr 2026 00:00:00 GMTIdP integrationauth0oidcjwksjwtrs256JWTShield teamhttps://jwtshield.com/blog/express-jwt-middleware-2026/https://jwtshield.com/blog/express-jwt-middleware-2026/express-jwt's defaults still let alg=none through on some configurations. Here is the safe handcrafted middleware in 60 lines, and the one-line replacement that off-loads verification to a service.Mon, 27 Apr 2026 00:00:00 GMTFrameworkexpressnodemiddlewarejwtJWTShield team