{"id":19515877,"url":"https://github.com/sciguy16/jwt-explorer","last_synced_at":"2025-10-11T01:03:26.434Z","repository":{"id":38331938,"uuid":"409918526","full_name":"sciguy16/jwt-explorer","owner":"sciguy16","description":"Decode, explore, and sign JWTs","archived":false,"fork":false,"pushed_at":"2023-03-25T01:17:57.000Z","size":2499,"stargazers_count":11,"open_issues_count":4,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-04T08:45:32.265Z","etag":null,"topics":["jwt","jwt-token","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sciguy16.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-24T10:09:32.000Z","updated_at":"2023-06-29T09:43:41.000Z","dependencies_parsed_at":"2023-02-12T06:01:21.884Z","dependency_job_id":null,"html_url":"https://github.com/sciguy16/jwt-explorer","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sciguy16%2Fjwt-explorer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sciguy16%2Fjwt-explorer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sciguy16%2Fjwt-explorer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sciguy16%2Fjwt-explorer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sciguy16","download_url":"https://codeload.github.com/sciguy16/jwt-explorer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250943984,"owners_count":21511669,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","jwt-token","security","security-tools"],"created_at":"2024-11-10T23:43:26.385Z","updated_at":"2025-10-11T01:03:21.397Z","avatar_url":"https://github.com/sciguy16.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JWT Explorer\n\nA utility for inspecting, modifying, and attacking JWTs.\n\nSupports Windows and Linux and probably also works on macOS but this has not been tested.\n\n![Overview of JWT Explorer](images/overview.png)\n\n## Usage\n\n```bash\ncargo run --release\n```\n\nOr download the latest release for your platform from [the releases page](https://github.com/sciguy16/jwt-explorer/releases)!\n\n## Features\n\n* Decode JWTs and inspect the headers and claims\n* Automatically try some common secrets\n* Generate `alg:none` attack payloads\n* Easily update `iat` and `exp` with various offsets\n* Sign and encode tokens with common algorithms\n* Accept and encode invalid JSON payloads\n* Alter the claims while retaining the original signature\n* Signature types: HMAC-SHA, ECDSA, RSASSA-PKCS1-v1_5\n\n## Attacks\n\u003cdl\u003e\n\t\u003cdt\u003ealg:none\u003c/dt\u003e\n\t\u003cdd\u003e\n\t\t\"Sign\" the JWT with an empty signature and set the algorithm type to \"None\".\n\t\tAccepted by some implementations which trust the JWT's choice of signature algorithm.\n\t\tSome parsers check for \"none\" but don't check for e.g. \"nOnE\".\n\t\tMake sure to try with and without the trailing dot.\n\t\u003c/dd\u003e\n\t\u003cdt\u003eNull signature\u003c/dt\u003e\n\t\u003cdd\u003e\n\t\tLeave the original header intact but don't provide a signature.\n\t\tMake sure to try with and without the trailing dot.\n\t\u003c/dd\u003e\n\t\u003cdt\u003eRetain original signature\u003c/dt\u003e\n\t\u003cdd\u003e\n\t\tTamper with the claims while leaving the original signature intact.\n\t\u003c/dd\u003e\n\t\u003cdt\u003eGuess common secrets\u003c/dt\u003e\n\t\u003cdd\u003e\n\t\tIf the token has been signed with an HMAC then try a few common secrets.\n\t\tThis is not a substitute for passing the token to Hashcat, but can get some easy wins.\n\t\u003c/dd\u003e\n\u003c/dl\u003e\n\n## License\n\nJWT Explorer is available under the terms of either the MIT license or\nthe Apache License (Version 2.0).\n\nFonts used are distributed under the terms of the Open Font License.\n\nJWT Explorer binaries include a statically linked copy of [OpenSSL](https://github.com/openssl/openssl) which is distributed under the terms of the Apache License 2.0.\n\nSee [LICENSE-APACHE](LICENSE-APACHE), [LICENSE-MIT](LICENSE-MIT), and\nfonts/\\*/LICENSE for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsciguy16%2Fjwt-explorer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsciguy16%2Fjwt-explorer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsciguy16%2Fjwt-explorer/lists"}