Daily Hack
A fresh 60-second challenge every day. Solve it, earn XP, and keep your streak alive.
The none algorithm
This API authenticates you from the claims inside your JWT. The header says alg:HS256, but the server has a classic flaw: it also accepts a token whose header says alg:none, treating it as already valid with no signature to check. In the workbench, switch the header algorithm to none and rewrite the payload so role becomes admin. The token rebuilds live as you type. Copy the whole forged token and submit it.
Play freely - sign up to submit your answer and earn XP.