SecurAI scans your GitHub repository for JWT and OAuth vulnerabilities, ranks them by severity, and explains exactly how to fix each one.
public repos scan instantly · private repos require sign-in
How it works
Point SecurAI at any public or connected GitHub repository. No agent to install, no config files to write.
A deterministic rule engine catches known auth anti-patterns; an AI review pass reasons about the surrounding code for context-dependent bugs.
Findings ranked by severity, each with the exact file and line, why it's exploitable, and a copy-paste fix.
What it catches
Tokens verified without an algorithm allowlist accept alg:none forgeries and RS256→HS256 downgrades using the public key as the HMAC secret.
Tokens decoded instead of verified — or signed without an exp claim — keep granting access forever, even after logout or revocation.
Short, guessable, or source-committed signing secrets let anyone with repo access mint valid tokens for any user.
Authorization flows without a validated state value are open to login CSRF — an attacker binds their code to a victim's session.
Loose redirect_uri matching (open redirects, wildcard hosts, missing exact-match) leaks authorization codes and tokens to attacker-controlled URLs.
Access tokens kept in localStorage are readable by any XSS on the page. HttpOnly, Secure, SameSite cookies keep them out of JavaScript's reach.
Trusted by engineering teams shipping auth
Customer logos and testimonials will go here.
Drop in a GitHub URL and get a prioritized auth-security report with fixes you can ship today.