Payload Injection can happen in the following cases:

1. None Algo: If the library supports none algo, then the signature validation doesn't happens at all, making it an easy candidate for payload injection.

2. SQL Injection: Consider this case - If every user has a separate signing key, for instance, then the user info has to be retrieved from the token to get the signing key, right. In that case if the input is trusted, just because its coming from JWT token, there's a chance of SQLi --- not very common though, as I have already mentioned in the article.

SQLi can also happen when user supplied input is embedded into the token -- say my username from a website is added to the token and this is later used to lookup my info from the db - then too its considered as a payload injection.

3. JSON Injection: If a library constructs JWTs in an unsafe manner by tacking user input into the payload, one can easily modify the token claims (JSON Parameter Pollution attack). That's another nice way to perform payload injection.

I hope these examples reflect some potential payload injection scenarios :)

Btw this post was quite generic, and I am planning a bigger post, with more concrete decision tree on what to do when certain conditions are met.

If this post does well, then I will work on that one :)

Cheers!