JWT signature verification disabled (PyJWT)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A PyJWT decode call disables signature verification (verify=False or verify_signature: False), so tokens are trusted without being checked.
Why it matters
Passing verify=False or verify_signature: False to PyJWT decode returns the token claims without checking the signature at all. That turns the token into plain untrusted input: anyone can send a JWT with any user id or role and it is accepted. The call still looks like a normal decode, which is why it slips through review.
How to fix it
Call jwt.decode with the verifying key and an explicit algorithms list, and remove verify=False and any options that disable verification. If you only need to read a claim before verification (rare), do it on a clearly separate unverified path and never use those claims for an authorization decision.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo