online / endpoints 59 / categories 14 / rate 60/min/ip /
catastrophic.io /chaos

GET /jwt-payload

GET /jwt-payload

Returns JWT payload (claims) objects with RFC 7519 violations. Default sends `exp` as a string instead of a NumericDate. Use ?mode= to isolate other violations: malformed iss, mixed-type aud array, or a reserved claim with the wrong type. Distinct from /jwt (token-validation flaws) and /auth (challenge framing).

mode exp-as-string (default; `exp` is a string instead of a NumericDate integer per RFC 7519 §4.1.4; typed SDKs throw on deserialization), iss-malformed (`iss` is a bare word, not a URI; validators that require URI format reject), aud-mixed-types (`aud` array contains string, integer, and boolean; RFC 7519 §4.1.3 requires StringOrURI), reserved-claim-collision (`sub` is an object instead of a string principal identifier; libraries that read sub as string throw or stringify to "[object Object]").

control Compare against the well-formed counterpart: not.catastrophic.io/jwt-payload side-by-side

build a request:

expect: A JSON object representing a JWT claim set with one RFC 7519 violation. The `note` field in the body explains what is wrong.

bash
curl -si 'https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string' | grep -E '^(HTTP|content-type|x-chaos)'

import urllib.request, json
resp = urllib.request.urlopen("https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string")
print("Content-Type:", resp.headers.get("Content-Type"))
print("X-Chaos-Jwt-Payload-Mode:", resp.headers.get("X-Chaos-Jwt-Payload-Mode"))
body = json.loads(resp.read())
print("exp type:", type(body.get("exp")).__name__)
print("iss:", body.get("iss"))
print("aud:", body.get("aud"))
print("note:", body.get("note"))

const res = await fetch("https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string");
const body = await res.json();
console.log("Content-Type:", res.headers.get("content-type"));
console.log("X-Chaos-Jwt-Payload-Mode:", res.headers.get("x-chaos-jwt-payload-mode"));
console.log("exp value:", body.exp, "/ typeof:", typeof body.exp);
console.log("iss:", body.iss);
console.log("aud:", body.aud);
console.log("note:", body.note);

package main

import (
    "encoding/json"
    "fmt"
    "io"
    "net/http"
)

func main() {
    resp, _ := http.Get("https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string")
    defer resp.Body.Close()
    raw, _ := io.ReadAll(resp.Body)
    var body map[string]any
    json.Unmarshal(raw, &body)
    fmt.Println("Content-Type:", resp.Header.Get("Content-Type"))
    fmt.Println("X-Chaos-Jwt-Payload-Mode:", resp.Header.Get("X-Chaos-Jwt-Payload-Mode"))
    fmt.Printf("exp value: %v (Go type: %T)\n", body["exp"], body["exp"])
    fmt.Printf("iss: %v\n", body["iss"])
    fmt.Printf("aud: %v\n", body["aud"])
}

// Cargo.toml: reqwest = { version = "0.12", features = ["blocking", "json"] }
fn main() -> Result<(), Box> {
    let resp = reqwest::blocking::get("https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string")?;
    println!("Content-Type: {:?}", resp.headers().get("content-type"));
    println!("X-Chaos-Jwt-Payload-Mode: {:?}", resp.headers().get("x-chaos-jwt-payload-mode"));
    let body: serde_json::Value = resp.json()?;
    println!("exp: {:?}", body.get("exp"));
    println!("iss: {:?}", body.get("iss"));
    println!("aud: {:?}", body.get("aud"));
    Ok(())
}

import java.net.URI;
import java.net.http.*;

public class JwtPayloadChaos {
    public static void main(String[] args) throws Exception {
        var client = HttpClient.newHttpClient();
        var req = HttpRequest.newBuilder(URI.create("https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string")).build();
        var resp = client.send(req, HttpResponse.BodyHandlers.ofString());
        System.out.println("Content-Type: " +
            resp.headers().firstValue("Content-Type").orElse(""));
        System.out.println("X-Chaos-Jwt-Payload-Mode: " +
            resp.headers().firstValue("X-Chaos-Jwt-Payload-Mode").orElse(""));
        System.out.println("Body: " + resp.body());
    }
}

using var client = new HttpClient();
var resp = await client.GetAsync("https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string");
Console.WriteLine($"Content-Type: {resp.Content.Headers.ContentType}");
Console.WriteLine($"X-Chaos-Jwt-Payload-Mode: " +
    $"{resp.Headers.GetValues("X-Chaos-Jwt-Payload-Mode").FirstOrDefault()}");
var body = await resp.Content.ReadAsStringAsync();
Console.WriteLine($"Body: {body}");

require "net/http"
require "json"
uri = URI("https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string")
Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
    res = http.get(uri.request_uri)
    puts "Content-Type: #{res['Content-Type']}"
    puts "X-Chaos-Jwt-Payload-Mode: #{res['X-Chaos-Jwt-Payload-Mode']}"
    body = JSON.parse(res.body)
    puts "exp class: #{body['exp'].class}"
    puts "iss: #{body['iss']}"
    puts "aud: #{body['aud'].inspect}"
end

$r = Invoke-RestMethod -Uri 'https://chaos.catastrophic.io/jwt-payload?mode=exp-as-string' -ResponseHeadersVariable h
"Content-Type: $($h['Content-Type'])"
"X-Chaos-Jwt-Payload-Mode: $($h['X-Chaos-Jwt-Payload-Mode'])"
"exp value: $($r.exp) / type: $($r.exp.GetType().Name)"
"iss: $($r.iss)"
"aud: $($r.aud -join ', ')"