CTF
Root-me
JSON Web Token (JWT) - Introduction
It’s an introduction, this challenge is basic, you just need to understand how jwt work, and learn basic exploits and test these.
JWT - Revoked token
With this challenge, you will see a developer try to secure her app, but you can bypass it, check RFC 4648
JSON Web Token (JWT) - Public key
With a public key, and alg used in jwt header, you can try RSA/HMAC confusion exploit.
PentesterLab
JWT I to XIII
For each challenge, read the course and checked my documentation, especially exploit section, all challenges can be resolved with only one command line with myjwt cli