JWT
// Definition
JSON Web Token — a compact, URL-safe token format for transmitting claims between parties. A JWT has three Base64URL-encoded sections separated by dots: header (signing algorithm), payload (claims like `sub`, `exp`, `roles`), and signature. Because the payload is encoded but not encrypted, any holder of the token can read the claims — never store secrets in a JWT payload. Test JWTs by checking expiry enforcement, algorithm validation (reject `alg: none`), and rejection of tampered signatures.
// Why it matters
JWTs carry signed claims (who you are, what you can do) so the server can trust a request without a session lookup. The QA risk is that the token is only as good as its validation: skip the signature check, accept alg: none, or ignore expiry, and the whole auth model collapses.
// How to test
// A tampered payload must be rejected (signature check enforced)
cy.request({ url: '/api/me', headers: { Authorization: `Bearer ${validJwt}` } })
.its('status').should('eq', 200)
const tampered = forgeJwt({ ...claims, role: 'admin' }) // re-signed with wrong key / alg:none
cy.request({
url: '/api/me',
headers: { Authorization: `Bearer ${tampered}` },
failOnStatusCode: false,
}).its('status').should('eq', 401)// Common mistakes
- Accepting
alg: noneor letting the token dictate its own algorithm - Not checking
exp(expired tokens still work) - Storing the JWT where XSS can read it (localStorage) instead of an HttpOnly cookie
// Related terms
OAuth 2.0
An open delegation protocol that lets users grant third-party applications scoped access to their resources without sharing their password. OAuth 2.0 defines four grant flows — Authorization Code (web apps), Client Credentials (server-to-server), Device Code (CLI tools / TVs), and PKCE (mobile apps). QA engineers test OAuth flows by validating token exchange, scope enforcement, refresh token behaviour, and failure modes like expired tokens, insufficient scopes, and revoked access.
RBAC
Role-Based Access Control — a permission model where access rights are assigned to roles, and users inherit permissions by belonging to one or more roles. A `viewer` role can read resources; an `admin` role can create, update, and delete. In API testing, RBAC tests verify that each role can reach only the endpoints it should: a viewer calling `DELETE /content` should get a 403, not a 200. Broken access control at the object and function level is consistently in the OWASP API Security Top 10.
Authentication
The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.