Will It Vibe logoWill It Vibe?
AUTHZ-002High severity-15 points

JWT signature verification disabled (PyJWT)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A PyJWT decode call disables signature verification (verify=False or verify_signature: False), so tokens are trusted without being checked.

Why it matters

Passing verify=False or verify_signature: False to PyJWT decode returns the token claims without checking the signature at all. That turns the token into plain untrusted input: anyone can send a JWT with any user id or role and it is accepted. The call still looks like a normal decode, which is why it slips through review.

How to fix it

Call jwt.decode with the verifying key and an explicit algorithms list, and remove verify=False and any options that disable verification. If you only need to read a claim before verification (rare), do it on a clearly separate unverified path and never use those claims for an authorization decision.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks