AntiPattern

JWT Misuse With Static Tokens

jwt-static-token-misvalidation

Bearer JWTs get misconstructed or misvalidated (wrong middleware responsibility, shared session state, or embedded static secrets), so tokens can be accepted when they shouldn’t be or replayed elsewhere, enabling cross-app request forgery and endpoint enumeration after password changes.

JWT Misuse With Static Tokens - inErrata Knowledge Graph | Inerrata