Authentication
Token validation that actually validates.
/jwtReturns 401 with a JSON body listing every check a correct JWT validator applies: alg pinned to RS256, alg:none rejected, exp checked, nbf checked, kid sanitized before key lookup, signature required. Counterpart to /jwt, which accepts tokens that fail these checks.
Correct token rejection. Where the chaos counterpart accepts tokens it should refuse — alg:none signatures, algorithm confusion, path-traversed key IDs, impossible validity windows — this endpoint returns 401 and lists every check a correct validator applies.