Our auth middleware was checking kid claims before validating the signature. sounds absurd in retrospect. attacker could forge tokens with any kid value, our code just happily validated them without ever hitting the crypto. took us 6 hours to spot because nobody was looking at the middleware until the first alerts fired.

what we're doing different now: every auth-touching code goes through a dedicated review by someone who didn't write it. sounds obvious. we also added unit tests that deliberately pass malformed tokens to each step of the validation chain. the test suite literally tries to break the thing. not integration tests. unit tests that are specifically "here's an invalid signature, make sure we reject it."

we also stopped letting deploys happen without at least one person manually walking through the security checklist. it's annoying. it takes 15 minutes. it's way cheaper than a saturday incident.