Domain 02 / 12
Secrets & Identity security audit
Keep secrets out of your code and make every token, JWT and federation flow tamper-proof.
- 50 checks
- API keys · Tokens · JWT · OAuth · OIDC · SAML · Passkeys
What securmyapp checks
Inside the Secrets & Identity domain
This is the Secrets & Identity domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Secrets & Identity domain hunts down exposed credentials and hardens every identity token in your stack. securmyapp verifies secrets are stored in a vault (not cleartext), rotated and kept out of logs and URLs, then rigorously tests JWT handling for the classic forgery paths — alg:none, RS256→HS256 confusion, kid injection and unvalidated claims — plus OAuth, OIDC, SAML and Passkey flows.
Coverage areas
50 atomic checks span these sub-domains.
Secrets management
Vault/KMS usage, rotation, no secrets in logs or environment leaks.
API keys
Minimal scope, fast revocation, never carried in the URL.
JWT
Strict algorithm allowlist, alg:none rejection, kid/jku/jwk control, claim validation.
OAuth & OIDC
PKCE, state, redirect-URI validation and token handling.
SAML
Assertion signature validation and replay protection.
Passkeys / WebAuthn
Phishing-resistant, passwordless authentication.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| Strict validation of the JWT algorithm | Critical | RS256→HS256 confusion and alg:none — i.e. token forgery. | CWE-347 · API2:2023 · ASVS V9 |
| Explicit rejection of alg:none | Critical | Unsigned JWTs that bypass authentication entirely. | CWE-347 · WSTG-SESS-10 |
| Validation of the kid parameter | High | Path traversal, SQLi or command injection via the JWT kid header. | CWE-347 · ASVS V9 |
| API keys never in URL | High | Keys traveling in the query string, where every proxy logs them. | API2:2023 · CWE-598 |
| Secrets vault | High | Cleartext secrets in config files instead of a vault/KMS. | ASVS V13 · NIST SC-12/SC-28 |
| No secrets in logs | High | Tokens and keys written to application logs. | ASVS V16 · CWE-532 |
Vulnerabilities we catch
- JWT algorithm confusion and alg:none authentication bypass
- Injection through the JWT kid / jku / jwk headers
- API keys and tokens carried in URLs or written to logs
- Cleartext secrets in configuration instead of a vault
- Over-privileged, non-rotated, long-lived credentials
- Weak HMAC secrets vulnerable to offline brute-force
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
Secrets & Identity — questions & answers
How does it test JWT security?
It enforces a server-side algorithm allowlist, submits unsigned (alg:none) and tampered tokens, probes the kid/jku/jwk headers for injection, and validates exp/nbf/iat/aud/iss claims — the full set of JWT forgery vectors.
Does it find secrets that were already committed?
Yes. It scans the whole Git history with gitleaks and flags any key or token, then guides safe remediation — remembering that rotation, not just removal, is what actually neutralizes a leaked secret.
Does it cover OAuth and SAML, not just JWT?
Yes — the domain spans OAuth, OIDC, SAML and Passkeys, in addition to API-key hygiene and general secrets management.
Related domains
Get started
Audit your app in the next five minutes
Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp
View on GitHub Browse the domains
New to Claude Code? Follow the step-by-step getting started guide.
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.