Free & open source · OAuth / OIDC / JWT

Catch the auth bugs
AI writes.

Your AI assistant writes login code in seconds. It also writes the same security holes it picked up from the rest of the internet. oauthlint reads that code like a security engineer and flags the dangerous patterns before they reach production.

Scan your code Browse the 30 rules

No sign-up. No telemetry. npx oauthlint scan ./src

$▋

⠋ scanning 47 files…

ERRORjwt.alg-nonesrc/auth.ts:14

WARNcookie.no-securesrc/server.ts:37

HIGHoauth.no-pkcesrc/auth.ts:48

✔ 3 issues · 1 high · scanned in 1.7s

The problem

Fluent in OAuth. Fluent in OAuth mistakes.

Copilot, Cursor and Claude will hand you a working auth flow on demand. They will also reach for alg: none, paste your client secret into the repo, stash tokens in localStorage and skip PKCE, because those patterns are everywhere in their training data. The code runs. The pull request looks clean. The vulnerability ships with it.

Generic SAST is too broad to care, and enterprise IAM platforms cost more than a startup makes in a year. oauthlint sits in the gap: one focused job, done well, for free.

What it catches

Thirty ways auth quietly breaks.

ERRORjwt.alg-none

A JWT verified with alg: none, so anyone can forge a valid token.

ERRORoauth.hardcoded-secret

A client_secret committed straight into the source tree.

HIGHoauth.no-pkce

A public-client OAuth flow with no PKCE protecting the exchange.

HIGHjwt.localstorage

An access token parked in localStorage, ready for any XSS to read.

WARNcookie.no-secure

A session cookie set without Secure or HttpOnly flags.

WARNoauth.no-state

An OAuth redirect with no state check, wide open to CSRF.

See all 30 rules across OAuth, JWT, cookies, CORS and sessions →

How it works

From scan to fix in one command.

$ npx oauthlint scan ./src

Run it

One command, no config, no account. Point it at your code and it reads every auth path the way a reviewer would.

Read the verdict

Each finding names the rule, the exact file and line, what makes it dangerous, and a link to the fix. No noise, no lecture.

Ship it clean

Fix it yourself, or let --fix handle the safe ones. Wire it into CI and the same bug never comes back.

Runs on Semgrep. Install it once with pipx install semgrep or brew install semgrep.

Everywhere you ship

Your terminal, your CI, your editor.

CLI

One command locally or in a pre-commit hook. Pretty output, plus JSON and SARIF.

GitHub Action

A Docker-based step that gates every pull request, whatever language your repo speaks.

VS Code

Inline diagnostics as you type, with a Quick Fix to suppress a line on purpose.

Good auth security shouldn't cost $50k.

The fundamentals belong in everyone's toolbox, not behind a sales call. oauthlint is free and open source, the developer-first edge of Auspeo's work on identity security.

Browse the rules Star on GitHub

Catch the auth bugsAI writes.