Intent-Code Divergence
Medium
- Confidence
- 94% confidence
- Finding
- The header comment claims the server verifies request signatures, but the implementation only compares a static token in `_verifyRequest`. This mismatch can lead operators to rely on stronger authenticity guarantees than actually exist, increasing the chance of replayable or spoofed requests if the token is exposed or reused.
