Modern APIs frequently use OAuth 2.0 and JWTs to support delegated access, single sign-on, and stateless sessions. These systems introduce new testing challenges, including multi-step flows, token scopes, and signature validation. Understanding these concepts is essential for meaningful API auth testing.
Testing OAuth 2.0 Flows
OAuth 2.0 defines flows such as Authorization Code, Client Credentials, and Refresh Token. Each flow has specific steps where clients obtain and use tokens. Testers should validate not just that tokens are obtained successfully, but also that scopes are enforced, refresh works correctly, and tokens expire as expected.
# Example: Client Credentials flow with curl
curl -X POST "https://auth.example.com/oauth/token" -d "grant_type=client_credentials" -d "client_id=<client_id>" -d "client_secret=<client_secret>"JWTs are often used as access tokens. They contain claims such as subject (sub), expiry (exp), and scopes, and they are signed to prevent tampering. Testers can decode JWTs to inspect claims and verify that the API checks signatures and expiry correctly.
JWT Validation Scenarios
Useful tests include sending tokens with modified claims, expired tokens, tokens signed with the wrong key, or tokens missing required claims. APIs should reject these with appropriate status codes like 401 or 403. You should also verify that sensitive data is not stored in JWTs in plain text when that would be inappropriate.
Common Mistakes
Mistake 1 β Treating OAuth and JWTs as simple opaque tokens
Ignoring their structure misses many failure modes.
β Wrong: Only verifying that βa token existsβ without checking scopes or expiry.
β Correct: Decode tokens and design tests around claims, scopes, and lifetimes.
Mistake 2 β Never testing invalid or tampered tokens
APIs must fail securely when tokens are wrong.
β Wrong: Accepting any token that looks syntactically valid.
β Correct: Send tokens with altered signatures or claims and ensure they are rejected.