Brute-force HS256, HS384 or HS512 JWT Token from your browser. Using exclusively 100% client-side JavaScript. No installation needed.

Demo :

Made with Vue 3 (TypeScript, 0 dependency) using web workers and a futuristic looking UI.

Contributions are welcome!

Update 04-2025 : The domain has changed from jwt-cracker.online to jwt.cracking.ovh

• HS256, HS384, HS512
• Bruteforcing with custom character set
• Bruteforcing with custom length
• Dictionary attack with a preset of lists
• Custom dictionary (#1)
• Timer and other statistics
• Bruteforcing using webassembly (#2)
• Notification when finished (#3)

VSCode + Volar (and disable Vetur) + TypeScript Vue Plugin (Volar).

TypeScript cannot handle type information for .vue imports by default, so we replace the tsc CLI with vue-tsc for type checking. In editors, we need TypeScript Vue Plugin (Volar) to make the TypeScript language service aware of .vue types.

If the standalone TypeScript plugin doesn't feel fast enough to you, Volar has also implemented a Take Over Mode that is more performant. You can enable it by the following steps:

1. Disable the built-in TypeScript Extension
   1. Run Extensions: Show Built-in Extensions from VSCode's command palette
   2. Find TypeScript and JavaScript Language Features, right click and select Disable (Workspace)
2. Reload the VSCode window by running Developer: Reload Window from the command palette.

See Vite Configuration Reference.

npm install

npm run dev

npm run build

npm run lint