Lab: JWT authentication bypass via flawed signature verification

you just have to delete or remove the algorithm to none and set the user to administrator

fyi -> you can just click the attack button and click the none

delete the user carlos