JWT
Change algorithm to None
Sometimes APIs don’t check for JWT encryption. None algorithm allows an attacker to craft a malicious JWT token to escalate privileges.
B64 None: eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0
JWT Injection
Sometimes applications reflect data that is stored inside the token, try to create accounts with malicious payloads