# Week 41 - BURP ATOR Are you tired of JSON Web Tokens (JWTs) quickly expiring while running an [#AppSec](https://www.linkedin.com/feed/hashtag/?keywords=appsec\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6991411336362520576) engagement?\ \ I know firsthand the frustration you can feel when tokens seem to expire before you can even send them to the Repeater tab!!\ \ Luckily there is an amazing [#BurpSuite](https://www.linkedin.com/feed/hashtag/?keywords=burpsuite\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6991411336362520576) extension called Authentication Token Obtain and Replace (ATOR). To use it, all you need to do is:\ \ 1\. Specify the Error Condition: when does ATOR need to take action, AKA upon being told the JWT expired. See photo for an example of how I told ATOR to act upon receiving 401 unauthorized.\ \ 2\. Obtain New Token: tell ATOR to re-run the login request that responds with a valid JWT. Select that JWT from the response so ATOR knows how to identify it.\ \ 3\. Replace the Token: when the error condition from step 1 occurs (401 unauthorized), where should ATOR place the new token acquired from step 2? Most likely this will be in the request header -> Authorization: Bearer \\ \ Last, in the settings select what tools you want ATOR to run on, I recommend both the Repeater and Intruder. Now your macro should run in the background allowing you a little less frustration in your life! ![](https://3053998085-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxZo6Sim2dDXChJQAtNXN%2Fuploads%2F8nfXIuNHNVKagJftrRWT%2Fimage.png?alt=media\&token=535cb254-1f3d-4681-a6da-419abee0b770)