3 Broken Auth Bugs Cursor Keeps Writing Into JWT Code

TL;DR Cursor generates jwt.decode instead of jwt.verify , which skips signature validation and lets anyone forge a token Hardcoded 'secret' strings appear in most AI-generated JWT auth code — the model learned it from tutorials Three changes fix the worst of it: use jwt.verify , pull the secret from process.env , add expiresIn: '15m' I have been reviewing side projects and startup MVPs built with Cursor and Claude Code for the last few months. The auth code patterns are remarkably consistent. Not consistent in a good way. The specific issue I keep hitting: JWT implementation. Almost every codebase I look at has at least one of three problems. Sometimes all three in the same file. And the pattern is so uniform it is clearly a training data problem, not a developer knowledge problem. The Code Cursor Generates Here is a condensed but representative example of what comes out of Cursor when you ask it to scaffold a login endpoint: const jwt = require ( ' jsonwebtoken ' ); app . post ( ' /lo