# `react-doctor/jwt-insecure-verification`

JWT verified with the 'none' algorithm

- **Category:** Security
- **Severity:** error
- **Source:** oxlint-plugin-react-doctor
- **Framework:** global
- **Enabled when:** always

## Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm the reported code matches JWT verified with the 'none' algorithm. Check the framework context and diagnostic message before suppressing it.

## Fix prompt

Use this once validation confirms the diagnostic is real.

Never accept the `none` algorithm; it disables signature verification and lets any forged token through. Pin the real algorithm(s) explicitly (`jwt.verify(token, key, { algorithms: ['RS256'] })`).
