JSON Web Token Hack Toolkit

A high-performance toolkit for testing, analyzing and attacking JSON Web Tokens.

cargo install jwt-hack

brew install jwt-hack

sudo snap install jwt-hack

git clone https://github.com/hahwul/jwt-hack
cd jwt-hack
cargo install --path .

docker pull ghcr.io/hahwul/jwt-hack:latest

docker pull hahwul/jwt-hack:v2.4.0

You can decode both regular and DEFLATE-compressed JWTs. The tool will automatically detect and decompress compressed tokens.

jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED
jwt-hack decode COMPRESSED_JWT_TOKEN

Decode JWE (JSON Web Encryption) tokens to analyze their structure. The tool automatically detects JWE format (5 parts) and displays the encryption details.

# Decode JWE token structure
jwt-hack decode eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..ZHVtbXlfaXZfMTIzNDU2.eyJ0ZXN0IjoiandlIn0.ZHVtbXlfdGFn

# Shows JWE header, encrypted key, IV, ciphertext, and authentication tag

jwt-hack encode '{"sub":"1234"}' --secret=your-secret

You can use the --compress option to apply DEFLATE compression to the JWT payload.

jwt-hack encode '{"sub":"1234"}' --secret=your-secret --compress

ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key jwt-hack encode '{"a":"z"}' --private-key RS256.key --algorithm=RS256

### Encode a JWE

Create JWE (JSON Web Encryption) tokens for testing encrypted JWT scenarios.

```bash
# Basic JWE encoding
jwt-hack encode '{"sub":"1234", "data":"encrypted"}' --jwe --secret=your-secret

# JWE tokens are encrypted and can only be decrypted with the proper key
jwt-hack encode '{"sensitive":"data"}' --jwe

Checks if a JWT's signature is valid using the provided secret or key.

# With Secret (HMAC algorithms like HS256, HS384, HS512)
jwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret

# With Private Key (for asymmetric algorithms like RS256, ES256, EdDSA)
jwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key

Dictionary and brute force attacks also support JWTs compressed with DEFLATE.

# Dictionary attack
jwt-hack crack -w wordlist.txt JWT_TOKEN
jwt-hack crack -w wordlist.txt COMPRESSED_JWT_TOKEN

# Bruteforce attack
jwt-hack crack -m brute JWT_TOKEN --max=4
jwt-hack crack -m brute COMPRESSED_JWT_TOKEN --max=4

jwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.com

Automatically scan JWT tokens for common security issues and vulnerabilities.

# Full scan including weak secret detection and payload generation
jwt-hack scan JWT_TOKEN

# Skip secret cracking for faster results
jwt-hack scan JWT_TOKEN --skip-crack

# Skip payload generation
jwt-hack scan JWT_TOKEN --skip-payloads

# Use custom wordlist for weak secret detection
jwt-hack scan JWT_TOKEN -w custom_wordlist.txt

# Limit secret testing attempts
jwt-hack scan JWT_TOKEN --max-crack-attempts 50

The scan command checks for:

• None algorithm vulnerability: Detects if the token accepts unsigned tokens
• Weak secrets: Tests against common passwords (customizable with wordlist)
• Algorithm confusion: Identifies tokens vulnerable to RS256->HS256 attacks
• Token expiration issues: Checks for missing or improper expiration claims
• Missing security claims: Verifies presence of recommended JWT claims
• Kid header injection: Detects potential SQL/path injection vulnerabilities
• JKU/X5U header attacks: Identifies URL spoofing attack vectors

Start a local REST API for automation and integrations. To require authentication, use --api-key and include X-API-KEY in requests.

# Start on localhost:3000 with API key protection
jwt-hack server --api-key your-api-key

# Example request (must include X-API-KEY when --api-key is set)
curl -s http://127.0.0.1:3000/health -H 'X-API-KEY: your-api-key'

jwt-hack can run as an MCP server, allowing AI models to interact with JWT functionality through a standardized protocol.

# Start MCP server (communicates via stdio)
jwt-hack mcp

The MCP server exposes the following tools:

The MCP server is designed to be used by AI models and MCP clients. Each tool accepts JSON parameters and returns structured responses.

Decode Tool:

{
  "name": "decode",
  "arguments": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Encode Tool:

{
  "name": "encode",
  "arguments": {
    "json": "{\"sub\":\"1234\",\"name\":\"test\"}",
    "secret": "mysecret",
    "algorithm": "HS256"
  }
}

You can connect jwt-hack’s MCP server to popular MCP-enabled clients. Make sure the jwt-hack binary is on your system and accessible by the client.

VSCode

{
  "servers": {
    "jwt-hack": {
      "type": "stdio",
      "command": "jwt-hack",
      "args": [
        "mcp"
      ]
    }
  },
  "inputs": []
}

Claude Desktop

{
  "mcpServers": {
    "jwt-hack": {
      "command": "jwt-hack",
      "args": ["mcp"],
      "env": {}
    }
  }
}

DEFLATE Compression Support The jwt-hack toolkit supports DEFLATE compression for JWTs.

• Use the --compress option with encode to generate compressed JWTs.
• The decode and crack modes automatically detect and handle compressed JWTs.

Urx is open-source project and made it with ❤️ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.