JSON Web Token literal
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A three-part JWT literal (eyJ...eyJ...) was found in source. If it is a real session or access token it grants whatever the token authorizes until it expires.
Why it matters
A JSON Web Token embedded in source is often a real session or access token. If it is live, anyone with it holds whatever the token authorizes until it expires. Even an example token can leak claims and signing details that help forge others.
How to fix it
Do not hardcode JWTs. Obtain them at runtime from your auth flow and keep them in memory or secure storage. If the flagged token is real, treat the session as compromised and invalidate it; rotate the signing key if the token was long-lived.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo