TruffleHog has introduced a new detector that identifies JSON Web Tokens (JWTs) signed with public-key cryptography and verifies their liveness. This tool has already detected hundreds of live JWTs shortly after its deployment, ranking it among the top 25 detectors in their suite. Unlike traditional JWT verification methods, which can't confirm liveness, this approach utilizes the public key to check if the token is still valid, a significant step for security teams. JWTs, which are often used for authentication in web applications, consist of three base64-url-encoded sections: a header, a payload, and a cryptographic signature. They're stateless, meaning they don't require server-side storage but come with risks, particularly if they leak. TruffleHog’s detection method filters candidate JWTs to ensure they use public-key cryptography, then verifies their liveness by locally checking claims like expiration time before retrieving the public key via OIDC Discovery, minimizing network requests. However, the detector has limitations. It does not support JWTs that use shared-secret cryptography, which are more common. In tests, TruffleHog found shared-secret-based JWTs 28 times more frequently than public-key ones. The tool also cannot verify tokens issued from non-routing IPs or those that don't support OIDC Discovery. Identifying the applications associated with exposed JWTs can be challenging due to the lack of clear identifying information in the tokens. Moreover, revoking a JWT remains difficult since they can't be centrally managed; options include waiting for expiration, swapping signing keys, or modifying application logic to check revocation.