Issue: Potential Security Concern - Hardcoded JWT Token in Test File TestUtils.java

[iceiceee]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

A fully-formed, valid JWT token is hardcoded as a static string in a test utility file. While located in the test directory, hardcoding structured credentials (as opposed to clear placeholders) represents a security anti-pattern and a poor example for users of this security-focused library. It creates a risk of accidental misuse in production contexts and contradicts security best practices.

Reproduction

Navigate to the main branch of the auth0/java-jwt GitHub repository.

Open the file: /lib/src/test/java/com/auth0/jwt/TestUtils.java.

Examine line containing the constant: public static final String TEST_API_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";

Observe that the string value is a complete JWT (with header, payload, and signature segments).

Additional context

No response

java-jwt version

4.5.0

Java version

17.0.12

[bluemeaford]

Thanks for reporting this. Since the token is in a test file, do the maintainers consider this safe (e.g., deliberately non-sensitive test data), or would replacing it with a placeholder or generated token be preferable? Clarifying the intended practice here would help determine whether a PR (such as updating the test or adding documentation) would be appropriate.