Domain 02 / 12

Secrets & Identity security audit

Keep secrets out of your code and make every token, JWT and federation flow tamper-proof.

  • 50 checks
  • API keys · Tokens · JWT · OAuth · OIDC · SAML · Passkeys

Run the audit See example checks

What securmyapp checks

Inside the Secrets & Identity domain

This is the Secrets & Identity domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Secrets & Identity domain hunts down exposed credentials and hardens every identity token in your stack. securmyapp verifies secrets are stored in a vault (not cleartext), rotated and kept out of logs and URLs, then rigorously tests JWT handling for the classic forgery paths — alg:none, RS256→HS256 confusion, kid injection and unvalidated claims — plus OAuth, OIDC, SAML and Passkey flows.

Coverage areas

50 atomic checks span these sub-domains.

  • Secrets management

    Vault/KMS usage, rotation, no secrets in logs or environment leaks.

  • API keys

    Minimal scope, fast revocation, never carried in the URL.

  • JWT

    Strict algorithm allowlist, alg:none rejection, kid/jku/jwk control, claim validation.

  • OAuth & OIDC

    PKCE, state, redirect-URI validation and token handling.

  • SAML

    Assertion signature validation and replay protection.

  • Passkeys / WebAuthn

    Phishing-resistant, passwordless authentication.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example Secrets & Identity security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
Strict validation of the JWT algorithmCriticalRS256→HS256 confusion and alg:none — i.e. token forgery.CWE-347 · API2:2023 · ASVS V9
Explicit rejection of alg:noneCriticalUnsigned JWTs that bypass authentication entirely.CWE-347 · WSTG-SESS-10
Validation of the kid parameterHighPath traversal, SQLi or command injection via the JWT kid header.CWE-347 · ASVS V9
API keys never in URLHighKeys traveling in the query string, where every proxy logs them.API2:2023 · CWE-598
Secrets vaultHighCleartext secrets in config files instead of a vault/KMS.ASVS V13 · NIST SC-12/SC-28
No secrets in logsHighTokens and keys written to application logs.ASVS V16 · CWE-532

Vulnerabilities we catch

  • JWT algorithm confusion and alg:none authentication bypass
  • Injection through the JWT kid / jku / jwk headers
  • API keys and tokens carried in URLs or written to logs
  • Cleartext secrets in configuration instead of a vault
  • Over-privileged, non-rotated, long-lived credentials
  • Weak HMAC secrets vulnerable to offline brute-force

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

Secrets & Identity — questions & answers

How does it test JWT security?

It enforces a server-side algorithm allowlist, submits unsigned (alg:none) and tampered tokens, probes the kid/jku/jwk headers for injection, and validates exp/nbf/iat/aud/iss claims — the full set of JWT forgery vectors.

Does it find secrets that were already committed?

Yes. It scans the whole Git history with gitleaks and flags any key or token, then guides safe remediation — remembering that rotation, not just removal, is what actually neutralizes a leaked secret.

Does it cover OAuth and SAML, not just JWT?

Yes — the domain spans OAuth, OIDC, SAML and Passkeys, in addition to API-key hygiene and general secrets management.

Get started

Audit your app in the next five minutes

Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.

Install — one command
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp

View on GitHub Browse the domains

New to Claude Code? Follow the step-by-step getting started guide.

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.