Is your JWT signing secret exposed?

If your JWT secret leaks, an attacker can forge a valid token for any user — including admins. GhostCred detects exposed JWT secrets and signing keys in your code and config.

What this checks

• ✓Hardcoded JWT signing secrets and HS256 keys
• ✓Secrets in auth middleware and config files
• ✓Weak or default signing secrets
• ✓RS256 private keys used for signing

Why it matters

Token forgery is total auth bypass — no password needed. This is one of the highest-severity leaks there is.