RS256 to HS256 Confusion: If you can control the alg field in the JWT header and change it to HS256, the server might use the public key (pub.crt) as the secret key to verify the token. If you can sign a token with HS256 using the public key as the secret, you could generate a valid token for the admin user.

• Login as guest

Get token

with guest token, /admin

decode token