Token Audit — at1 token-audit
A general entropy test tells you a token “looks random.” AT-1 gives you a proof: it recovers the generator and predicts the next victim’s token. at1 token-audit is the AT-1 weak-RNG auditor pointed at the security tokens your app actually emits — session IDs, password-reset tokens, API keys, voucher codes, nonces. It auto-decodes the token encoding (hex / base64 / base64url), reconstructs the byte stream an attacker would harvest, and returns a calibrated verdict.
Use it
# Collect a sample of the tokens your app issues (one per line), then audit them.
at1 token-audit scan tokens.txt --encoding hex # hex / base64 / base64url auto-detected
# -> [BROKEN] recovered mt19937 -> next token is PREDICTABLE (exit 2)
# -> [PASS] resists recovery + incompressible (exit 0)
# CI gate: non-zero exit = a weakness was found.
at1 token-audit scan tokens.txt && echo "tokens OK" || echo "WEAK TOKENS — fix before shipping"Verdicts
- BROKEN — a generator was recovered; the next token is predictable. This is a proof, not a hint. (exit 2)
- WEAK — no generator recovered, but the stream is compressible: exploitable structure, not crypto-grade.
- PASS — resists recovery and is incompressible to this tool. (exit 0)
What it catches (validated against real implementations)
The classic bug — a language’s random / mt_rand / rand used for tokens instead of a CSPRNG — is fully recoverable. In testing, Python’s random and numpy’s legacy RandomState (both Mersenne Twister) come back BROKEN, while secrets, uuid4, os.urandom, numpy’s modern PCG64 and a PyJWT HS256 signature all PASS — zero false positives on real CSPRNG sources.
Honest scope
A PASS means “resists these known attacks and is incompressible,” not “provably secure.” The auditor detects known-weak generators (Mersenne Twister from enough consecutive outputs, LCG families and full-output LCGs, java.util.Random, short cycles, low-dim chaos) — it is not arbitrary cryptanalysis. The auditor is a subscription feature; see pricing. To turn a PASS into a re-checkable trust artifact, see Entropy Attestation.