Writeup for the potential security issue that the HAAPI authorization flow sends a valid, signed JWT token to the front end. Since these HAAPI JWT tokens are exposed in the browser, a misconfigured API, which improperly accepts Curity tokens by only validating the signature of the JWT, enables an attacker to use the leaked JWTs to gain unauthorized access to the API.
