JSON Web Token Hack Toolkit

A high-performance toolkit for testing, analyzing and attacking JSON Web Tokens.

cargo install jwt-hack

brew install jwt-hack

sudo snap install jwt-hack

git clone https://github.com/hahwul/jwt-hack
cd jwt-hack
cargo install --path .

docker pull ghcr.io/hahwul/jwt-hack:latest

docker pull hahwul/jwt-hack:v2.3.1

Note: The Scan and Server commands are introduced in v2.4.0 and are not yet released. They are unavailable in current binaries. To try them early, build from the main branch.

The Server can be secured with --api-key, which requires clients to include the X-API-KEY header on all requests.

Note: The Scan and Server commands are introduced in v2.4.0 and are not yet released. They are unavailable in current binaries. To try them early, build from the main branch.

You can decode both regular and DEFLATE-compressed JWTs. The tool will automatically detect and decompress compressed tokens.

jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED
jwt-hack decode COMPRESSED_JWT_TOKEN

Decode JWE (JSON Web Encryption) tokens to analyze their structure. The tool automatically detects JWE format (5 parts) and displays the encryption details.

# Decode JWE token structure
jwt-hack decode eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..ZHVtbXlfaXZfMTIzNDU2.eyJ0ZXN0IjoiandlIn0.ZHVtbXlfdGFn

# Shows JWE header, encrypted key, IV, ciphertext, and authentication tag

jwt-hack encode '{"sub":"1234"}' --secret=your-secret

You can use the --compress option to apply DEFLATE compression to the JWT payload.

jwt-hack encode '{"sub":"1234"}' --secret=your-secret --compress

ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key jwt-hack encode '{"a":"z"}' --private-key RS256.key --algorithm=RS256

### Encode a JWE

Create JWE (JSON Web Encryption) tokens for testing encrypted JWT scenarios.

```bash
# Basic JWE encoding
jwt-hack encode '{"sub":"1234", "data":"encrypted"}' --jwe --secret=your-secret

# JWE tokens are encrypted and can only be decrypted with the proper key
jwt-hack encode '{"sensitive":"data"}' --jwe

Checks if a JWT's signature is valid using the provided secret or key.

# With Secret (HMAC algorithms like HS256, HS384, HS512)
jwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret

# With Private Key (for asymmetric algorithms like RS256, ES256, EdDSA)
jwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key

Dictionary and brute force attacks also support JWTs compressed with DEFLATE.

# Dictionary attack
jwt-hack crack -w wordlist.txt JWT_TOKEN
jwt-hack crack -w wordlist.txt COMPRESSED_JWT_TOKEN

# Bruteforce attack
jwt-hack crack -m brute JWT_TOKEN --max=4
jwt-hack crack -m brute COMPRESSED_JWT_TOKEN --max=4

jwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.com

Automatically scan JWT tokens for common security issues and vulnerabilities.

# Full scan including weak secret detection and payload generation
jwt-hack scan JWT_TOKEN

# Skip secret cracking for faster results
jwt-hack scan JWT_TOKEN --skip-crack

# Skip payload generation
jwt-hack scan JWT_TOKEN --skip-payloads

# Use custom wordlist for weak secret detection
jwt-hack scan JWT_TOKEN -w custom_wordlist.txt

# Limit secret testing attempts
jwt-hack scan JWT_TOKEN --max-crack-attempts 50

The scan command checks for:

• None algorithm vulnerability: Detects if the token accepts unsigned tokens
• Weak secrets: Tests against common passwords (customizable with wordlist)
• Algorithm confusion: Identifies tokens vulnerable to RS256->HS256 attacks
• Token expiration issues: Checks for missing or improper expiration claims
• Missing security claims: Verifies presence of recommended JWT claims
• Kid header injection: Detects potential SQL/path injection vulnerabilities
• JKU/X5U header attacks: Identifies URL spoofing attack vectors

Start a local REST API for automation and integrations. To require authentication, use --api-key and include X-API-KEY in requests.

# Start on localhost:3000 with API key protection
jwt-hack server --api-key your-api-key

# Example request (must include X-API-KEY when --api-key is set)
curl -s http://127.0.0.1:3000/health -H 'X-API-KEY: your-api-key'

jwt-hack can run as an MCP server, allowing AI models to interact with JWT functionality through a standardized protocol.

# Start MCP server (communicates via stdio)
jwt-hack mcp

The MCP server exposes the following tools:

The MCP server is designed to be used by AI models and MCP clients. Each tool accepts JSON parameters and returns structured responses.

Decode Tool:

{
  "name": "decode",
  "arguments": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Encode Tool:

{
  "name": "encode",
  "arguments": {
    "json": "{\"sub\":\"1234\",\"name\":\"test\"}",
    "secret": "mysecret",
    "algorithm": "HS256"
  }
}

You can connect jwt-hack’s MCP server to popular MCP-enabled clients. Make sure the jwt-hack binary is on your system and accessible by the client.

VSCode

{
  "servers": {
    "jwt-hack": {
      "type": "stdio",
      "command": "jwt-hack",
      "args": [
        "mcp"
      ]
    }
  },
  "inputs": []
}

Claude Desktop

{
  "mcpServers": {
    "jwt-hack": {
      "command": "jwt-hack",
      "args": ["mcp"],
      "env": {}
    }
  }
}

DEFLATE Compression Support The jwt-hack toolkit supports DEFLATE compression for JWTs.

• Use the --compress option with encode to generate compressed JWTs.
• The decode and crack modes automatically detect and handle compressed JWTs.

Urx is open-source project and made it with ❤️ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.