{"id":13542367,"url":"https://github.com/hahwul/jwt-hack","last_synced_at":"2026-01-26T17:05:17.527Z","repository":{"id":41561710,"uuid":"276693223","full_name":"hahwul/jwt-hack","owner":"hahwul","description":"🔩 jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)","archived":false,"fork":false,"pushed_at":"2024-05-21T15:01:06.000Z","size":175,"stargazers_count":771,"open_issues_count":7,"forks_count":103,"subscribers_count":16,"default_branch":"main","last_synced_at":"2024-12-27T23:06:05.728Z","etag":null,"topics":["bugbounty","cracking","hacking","hacktoberfest","jwt","payload-generator","security","testing-tools","tool"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hahwul.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://paypal.me/hahwul","https://www.buymeacoffee.com/hahwul"]}},"created_at":"2020-07-02T16:17:09.000Z","updated_at":"2024-12-24T07:37:06.000Z","dependencies_parsed_at":"2024-05-21T15:42:22.463Z","dependency_job_id":"365c16dc-0b03-4946-90e8-19a4901bc809","html_url":"https://github.com/hahwul/jwt-hack","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hahwul%2Fjwt-hack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hahwul%2Fjwt-hack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hahwul%2Fjwt-hack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hahwul%2Fjwt-hack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hahwul","download_url":"https://codeload.github.com/hahwul/jwt-hack/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239533064,"owners_count":19654617,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","cracking","hacking","hacktoberfest","jwt","payload-generator","security","testing-tools","tool"],"created_at":"2024-08-01T10:01:05.600Z","updated_at":"2026-01-26T17:05:17.507Z","avatar_url":"https://github.com/hahwul.png","language":"Go","readme":"\u003cdiv align=\"center\"\u003e\n    \u003cpicture\u003e\n        \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"docs/static/images/jwt-hack-dark.png\" width=\"500px;\"\u003e\n        \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"docs/static/images/jwt-hack-light.png\" width=\"500px;\"\u003e\n        \u003cimg alt=\"DevSecOps Logo\" src=\"docs/static/images/jwt-hack-dark.png\" width=\"500px;\"\u003e\n    \u003c/picture\u003e\n  \u003cp\u003eJSON Web Token Hack Toolkit\u003c/p\u003e\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/hahwul/jwt-hack/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/hahwul/jwt-hack?style=for-the-badge\u0026logoColor=%23000000\u0026label=jwt-hack\u0026labelColor=%23000000\u0026color=%23000000\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://app.codecov.io/gh/hahwul/jwt-hack\"\u003e\u003cimg src=\"https://img.shields.io/codecov/c/gh/hahwul/jwt-hack?style=for-the-badge\u0026logoColor=%23000000\u0026labelColor=%23000000\u0026color=%23000000\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/hahwul/jwt-hack/blob/main/CONTRIBUTING.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/CONTRIBUTIONS-WELCOME-000000?style=for-the-badge\u0026labelColor=000000\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://rust-lang.org\"\u003e\u003cimg src=\"https://img.shields.io/badge/Rust-000000?style=for-the-badge\u0026logo=rust\u0026logoColor=white\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nA high-performance toolkit for testing, analyzing and attacking JSON Web Tokens.\n\n## Installation\n\n### Cargo\n```bash\ncargo install jwt-hack\n```\n\n### Homebrew\n```bash\nbrew install jwt-hack\n```\n\n### Snapcraft (Ubuntu)\n\n```bash\nsudo snap install jwt-hack\n```\n\n### From source\n```bash\ngit clone https://github.com/hahwul/jwt-hack\ncd jwt-hack\ncargo install --path .\n```\n\n### Docker images\n#### GHCR\n```bash\ndocker pull ghcr.io/hahwul/jwt-hack:latest\n```\n\n#### Docker Hub\n```bash\ndocker pull hahwul/jwt-hack:v2.4.0\n```\n\n## Features\n\n| Mode    | Description                  | Support                                                      |\n|---------|------------------------------|--------------------------------------------------------------|\n| Encode  | JWT/JWE Encoder              | Secret based / Key based / Algorithm / Custom Header / DEFLATE Compression / JWE |\n| Decode  | JWT/JWE Decoder              | Algorithm, Issued At Check, DEFLATE Compression, JWE Structure |\n| Verify  | JWT Verifier                 | Secret based / Key based (for asymmetric algorithms)         |\n| Crack   | Secret Cracker               | Dictionary Attack / Brute Force / DEFLATE Compression        |\n| Payload | JWT Attack Payload Generator | none / jku\u0026x5u / alg_confusion / kid_sql / x5c / cty         |\n| Scan    | Vulnerability Scanner        | Automated security checks for common JWT vulnerabilities     |\n| Server  | API Server                    | Run API Server Mode (http://localhost:3000)                 |\n| MCP     | Model Context Protocol Server | AI model integration via standardized protocol              |\n\n## Basic Usage\n\n### Decode a JWT\n\nYou can decode both regular and DEFLATE-compressed JWTs. The tool will automatically detect and decompress compressed tokens.\n\n```bash\njwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED\njwt-hack decode COMPRESSED_JWT_TOKEN\n```\n\n### Decode a JWE\n\nDecode JWE (JSON Web Encryption) tokens to analyze their structure. The tool automatically detects JWE format (5 parts) and displays the encryption details.\n\n```bash\n# Decode JWE token structure\njwt-hack decode eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..ZHVtbXlfaXZfMTIzNDU2.eyJ0ZXN0IjoiandlIn0.ZHVtbXlfdGFn\n\n# Shows JWE header, encrypted key, IV, ciphertext, and authentication tag\n```\n\n### Encode a JWT\n\n```bash\njwt-hack encode '{\"sub\":\"1234\"}' --secret=your-secret\n```\n\n#### Encode a JWT with DEFLATE Compression\n\nYou can use the `--compress` option to apply DEFLATE compression to the JWT payload.\n\n```bash\njwt-hack encode '{\"sub\":\"1234\"}' --secret=your-secret --compress\n```\n\n# With Private Key\nssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P \"\" -f RS256.key\njwt-hack encode '{\"a\":\"z\"}' --private-key RS256.key --algorithm=RS256\n```\n\n### Encode a JWE\n\nCreate JWE (JSON Web Encryption) tokens for testing encrypted JWT scenarios.\n\n```bash\n# Basic JWE encoding\njwt-hack encode '{\"sub\":\"1234\", \"data\":\"encrypted\"}' --jwe --secret=your-secret\n\n# JWE tokens are encrypted and can only be decrypted with the proper key\njwt-hack encode '{\"sensitive\":\"data\"}' --jwe\n```\n\n### Verify a JWT\n\nChecks if a JWT's signature is valid using the provided secret or key.\n\n```bash\n# With Secret (HMAC algorithms like HS256, HS384, HS512)\njwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret\n\n# With Private Key (for asymmetric algorithms like RS256, ES256, EdDSA)\njwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key\n```\n\n### Crack a JWT\n\nDictionary and brute force attacks also support JWTs compressed with DEFLATE.\n\n```bash\n# Dictionary attack\njwt-hack crack -w wordlist.txt JWT_TOKEN\njwt-hack crack -w wordlist.txt COMPRESSED_JWT_TOKEN\n\n# Bruteforce attack\njwt-hack crack -m brute JWT_TOKEN --max=4\njwt-hack crack -m brute COMPRESSED_JWT_TOKEN --max=4\n```\n\n### Generate payloads\n\n```bash\njwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.com\n```\n\n### Scan for vulnerabilities\n\nAutomatically scan JWT tokens for common security issues and vulnerabilities.\n\n```bash\n# Full scan including weak secret detection and payload generation\njwt-hack scan JWT_TOKEN\n\n# Skip secret cracking for faster results\njwt-hack scan JWT_TOKEN --skip-crack\n\n# Skip payload generation\njwt-hack scan JWT_TOKEN --skip-payloads\n\n# Use custom wordlist for weak secret detection\njwt-hack scan JWT_TOKEN -w custom_wordlist.txt\n\n# Limit secret testing attempts\njwt-hack scan JWT_TOKEN --max-crack-attempts 50\n```\n\nThe scan command checks for:\n- **None algorithm vulnerability**: Detects if the token accepts unsigned tokens\n- **Weak secrets**: Tests against common passwords (customizable with wordlist)\n- **Algorithm confusion**: Identifies tokens vulnerable to RS256-\u003eHS256 attacks\n- **Token expiration issues**: Checks for missing or improper expiration claims\n- **Missing security claims**: Verifies presence of recommended JWT claims\n- **Kid header injection**: Detects potential SQL/path injection vulnerabilities\n- **JKU/X5U header attacks**: Identifies URL spoofing attack vectors\n\n### Server (REST API)\n\nStart a local REST API for automation and integrations. To require authentication, use `--api-key` and include `X-API-KEY` in requests.\n\n```bash\n# Start on localhost:3000 with API key protection\njwt-hack server --api-key your-api-key\n\n# Example request (must include X-API-KEY when --api-key is set)\ncurl -s http://127.0.0.1:3000/health -H 'X-API-KEY: your-api-key'\n```\n\n### MCP (Model Context Protocol) Server Mode\n\njwt-hack can run as an MCP server, allowing AI models to interact with JWT functionality through a standardized protocol.\n\n```bash\n# Start MCP server (communicates via stdio)\njwt-hack mcp\n```\n\nThe MCP server exposes the following tools:\n\n| Tool | Description | Parameters |\n|------|-------------|------------|\n| `decode` | Decode JWT tokens | `token` (string) |\n| `encode` | Encode JSON to JWT | `json` (string), `secret` (optional), `algorithm` (default: HS256), `no_signature` (boolean) |\n| `verify` | Verify JWT signatures | `token` (string), `secret` (optional), `validate_exp` (boolean) |\n| `crack` | Crack JWT tokens | `token` (string), `mode` (dict/brute), `chars` (string), `max` (number) |\n| `payload` | Generate attack payloads | `token` (string), `target` (string), `jwk_attack` (optional), `jwk_protocol` (default: https) |\n\n#### Example MCP Usage\n\nThe MCP server is designed to be used by AI models and MCP clients. Each tool accepts JSON parameters and returns structured responses.\n\n**Decode Tool:**\n```json\n{\n  \"name\": \"decode\",\n  \"arguments\": {\n    \"token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\"\n  }\n}\n```\n\n**Encode Tool:**\n```json\n{\n  \"name\": \"encode\",\n  \"arguments\": {\n    \"json\": \"{\\\"sub\\\":\\\"1234\\\",\\\"name\\\":\\\"test\\\"}\",\n    \"secret\": \"mysecret\",\n    \"algorithm\": \"HS256\"\n  }\n}\n```\n\n#### MCP Client Integration Examples\n\nYou can connect jwt-hack’s MCP server to popular MCP-enabled clients. Make sure the `jwt-hack` binary is on your system and accessible by the client.\n\n**VSCode**\n\n```json\n{\n  \"servers\": {\n    \"jwt-hack\": {\n      \"type\": \"stdio\",\n      \"command\": \"jwt-hack\",\n      \"args\": [\n        \"mcp\"\n      ]\n    }\n  },\n  \"inputs\": []\n}\n```\n\n**Claude Desktop**\n\n```json\n{\n  \"mcpServers\": {\n    \"jwt-hack\": {\n      \"command\": \"jwt-hack\",\n      \"args\": [\"mcp\"],\n      \"env\": {}\n    }\n  }\n}\n```\n\n## DEFLATE Compression Support\n\n\u003e **DEFLATE Compression Support**\n\u003e The `jwt-hack` toolkit supports DEFLATE compression for JWTs.\n\u003e - Use the `--compress` option with `encode` to generate compressed JWTs.\n\u003e - The `decode` and `crack` modes automatically detect and handle compressed JWTs.\n\n## Contribute\n\nUrx is open-source project and made it with ❤️\nif you want contribute this project, please see [CONTRIBUTING.md](./CONTRIBUTING.md) and Pull-Request with cool your contents.\n\n[![](https://raw.githubusercontent.com/hahwul/jwt-hack/refs/heads/main/CONTRIBUTORS.svg)](https://github.com/hahwul/jwt-hack/graphs/contributors)\n","funding_links":["https://paypal.me/hahwul","https://www.buymeacoffee.com/hahwul"],"categories":["Miscellaneous","Weapons","Go","Go (531)"],"sub_categories":["JSON Web Token","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhahwul%2Fjwt-hack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhahwul%2Fjwt-hack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhahwul%2Fjwt-hack/lists"}