// preview room / claude code lab

The JWT Expiry Bug Every AI Model Generates

packaged

0:00/0:00

DLDownload thumbnail

Cost ledger

concept-select$0.174

hook$0.063

script$0.057

storyboard$0.195

factcheck$0.166

qa$0.074

revise$0.151

qa2$0.042

package$0.017

total$0.939

QA Council

8.9/10

specificity

utility

technical validity

visual clarity

brand fit

anti slop

platform safety

Hook is surgical — names the tool, names the field, implies a specific failure. No fluff.
Two-bug breakdown (units + operator inversion) elevates this above the usual 'AI gets jwt wrong' take. Most similar content only catches one.
Live replay with a Jan 2024 token and 200 OK is the kill shot. Concrete, reproducible, visceral.
Technical validity caveat: scene s3 narration says 'fix the units and the greater-than still rejects valid tokens' — this is correct but could confuse viewers who only half-listen. A single on-screen annotation clarifying both conditions simultaneously would reduce misread risk.
before_after scene is clean and does the cognitive work for the viewer without over-explaining.
CVE framing in s6 is credible but unsubstantiated — no CVE number cited. Fine for short-form, but advanced viewers may push back. Saying 'real CVE class' instead of 'Real CVE debt' is slightly safer.
CTA is on-brand and earns the follow by implying a series, not begging.
No hype language, no emoji spam, no fake benchmarks. Passes the anti-slop filter cleanly.
Platform safety: terminal output showing admin:true + auth bypass replay is authentic but could be flagged by automated moderation on some platforms. Low risk, worth monitoring.

Storyboard / 29s

1hook_text3s2code_block5s3warning5s4terminal5s5before_after4s6warning3s7cta4s

Publish

Disclose AI-generated content (AIGC)on

TikToksandbox · private onlyConfigure platforms ↗

Not posted yet. “Publish” uploads to every configured platform (YouTube live + IG/TikTok when a host + tokens are set), and always writes a paste-ready bundle. Runs in the background — this card updates as platforms complete.

Ready to post

No per-platform captions yet. Click “Generate captions” to research hashtags + write a tailored caption for each platform.

Script

hookCursor wrote your auth. The exp field is wrong.

"Cursor wrote your auth. The exp field is wrong."

"jwt.decode skips all verification. No signature check. No expiry check. Nothing."

"exp is Unix seconds. Date.now is milliseconds. The comparison silently passes everything."

"Replay a token from six months ago. Your server says 200."

"The fix is one line. jwt.verify with your secret. The library checks both."

"If this is in production, your sessions have no expiry boundary."

Run log

finished / packaged

packaged

15:12:36Trend scannot recorded

15:12:36Idea selectedmistake fix / The JWT verification pattern AI models always generate wrong

15:01:27Hook chosenCursor wrote your auth. The exp field is wrong.

15:02:01Script drafted6 narration beats

15:04:27Storyboard built7 scenes

15:06:23Fact check$0.166

15:07:13QA scored8.9/10 pass

15:12:36PackagingThe JWT Expiry Bug Every AI Model Generates

15:12:36Render assetMP4 ready

15:12:36packaged: "The JWT Expiry Bug Every AI Model Generates" — total $0.939

15:12:24derivatives: thumbnail + 2 aspect ratios

15:12:12rendered → /Users/lexaplus/development/Socheli/data/renders/claude_20260605145856.mp4

15:11:06beat-sync: 66 beats; sfx: 7 cues

15:11:06b-roll: 7/7 scenes

15:10:36music generated

15:09:11QA passed: 8.9/10

15:07:13revising (QA 9/10): units mismatch (exp seconds vs Date.now() ms) is a real, underreported footgun — not a made-up edge case; jwt.decode skipping signature and expiry is factually correct for the jsonwebtoken library; no hand-waving; terminal replay (s4) is the sharpest beat — concrete 200 OK from a Jan 2024 token beats any amount of explanation

BKBack to queue