1. only contains three useful links: /admin(JSON query), /adminNames to obtain getFile with admin names), and /Login to obtain POST JSON query result.

2. I was able to obtain the 'secret code' via

3. POST and query:

"username" : "din_djarin11",
"password" : ""

You will recieve the token:

4. Go to https://jwt.io/ to decode your token and you will see the following result:
"alg": "HS256",
"typ": "JWT"

"username": "qva_qwneva11",
"password": "",
"admin": "snyfr",
"iat": 1622932549

5. Convert "admin": "snyfr" to "admin": "gehr" (ROT13 conversion) and put "G00D_s0ld13rs_k33p_s3cret5" under verify signature box.

6. GET and add authorization tab under Header section, and send it.

You will see the output:
Hey din_djarin11! Here's your flag: FURYY{G0x3af_q0_z4gg3e_4r91ns4506s384q460s0s0p6r9r5sr4n}

7. Convert the flag with ROT13 and you will recieve:

Original writeup (https://github.com/RandomPost/CTF-Writeups/blob/main/Fun%20with%20tokens.txt).