TokenTriage

TokenTriage is a web app (with optional CLI) that continuously tests your production and staging APIs for authentication and authorization failures—especially around JWT/OAuth, session tokens, and tenant isolation. Instead of just scanning OpenAPI specs, it runs safe, scripted “negative tests” against real endpoints: expired tokens, wrong audiences, missing scopes, swapped tenant IDs, replay attempts, and privilege escalation paths. It plugs into your IdP (Auth0/Okta/Azure AD) to mint controlled test tokens and verifies that every endpoint enforces the right claims. Results are mapped to endpoints, routes, and CI builds, with clear repro steps and severity. This is not a magic button: you still need decent test environments and buy-in from engineering. But it gives security teams and API owners a repeatable way to detect the most common, high-impact API auth bugs that slip past code review and WAFs.