jwt-hack

JWT-HACK Logo

JSON Web Token Hack Toolkit

A high-performance toolkit for testing, analyzing and attacking JSON Web Tokens.

Installation

Cargo

cargo install jwt-hack

Homebrew

brew install jwt-hack

Snapcraft (Ubuntu)

sudo snap install jwt-hack

From source

git clone https://github.com/hahwul/jwt-hack
cd jwt-hack
cargo install --path .

Docker images

GHCR

docker pull ghcr.io/hahwul/jwt-hack:latest

Docker Hub

docker pull hahwul/jwt-hack:v2.3.1

Features

ModeDescriptionSupport
EncodeJWT/JWE EncoderSecret based / Key based / Algorithm / Custom Header / DEFLATE Compression / JWE
DecodeJWT/JWE DecoderAlgorithm, Issued At Check, DEFLATE Compression, JWE Structure
VerifyJWT VerifierSecret based / Key based (for asymmetric algorithms)
CrackSecret CrackerDictionary Attack / Brute Force / DEFLATE Compression
PayloadJWT Attack Payload Generatornone / jku&x5u / alg_confusion / kid_sql / x5c / cty
MCPModel Context Protocol ServerAI model integration via standardized protocol

Basic Usage

Decode a JWT

You can decode both regular and DEFLATE-compressed JWTs. The tool will automatically detect and decompress compressed tokens.

jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED
jwt-hack decode COMPRESSED_JWT_TOKEN

Decode a JWE

Decode JWE (JSON Web Encryption) tokens to analyze their structure. The tool automatically detects JWE format (5 parts) and displays the encryption details.

# Decode JWE token structure
jwt-hack decode eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..ZHVtbXlfaXZfMTIzNDU2.eyJ0ZXN0IjoiandlIn0.ZHVtbXlfdGFn

# Shows JWE header, encrypted key, IV, ciphertext, and authentication tag

Encode a JWT

jwt-hack encode '{"sub":"1234"}' --secret=your-secret

Encode a JWT with DEFLATE Compression

You can use the --compress option to apply DEFLATE compression to the JWT payload.

jwt-hack encode '{"sub":"1234"}' --secret=your-secret --compress

With Private Key

ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key jwt-hack encode '{"a":"z"}' --private-key RS256.key --algorithm=RS256


### Encode a JWE

Create JWE (JSON Web Encryption) tokens for testing encrypted JWT scenarios.

```bash
# Basic JWE encoding
jwt-hack encode '{"sub":"1234", "data":"encrypted"}' --jwe --secret=your-secret

# JWE tokens are encrypted and can only be decrypted with the proper key
jwt-hack encode '{"sensitive":"data"}' --jwe

Verify a JWT

Checks if a JWT's signature is valid using the provided secret or key.

# With Secret (HMAC algorithms like HS256, HS384, HS512)
jwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret

# With Private Key (for asymmetric algorithms like RS256, ES256, EdDSA)
jwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key

Crack a JWT

Dictionary and brute force attacks also support JWTs compressed with DEFLATE.

# Dictionary attack
jwt-hack crack -w wordlist.txt JWT_TOKEN
jwt-hack crack -w wordlist.txt COMPRESSED_JWT_TOKEN

# Bruteforce attack
jwt-hack crack -m brute JWT_TOKEN --max=4
jwt-hack crack -m brute COMPRESSED_JWT_TOKEN --max=4

Generate payloads

jwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.com

MCP (Model Context Protocol) Server Mode

jwt-hack can run as an MCP server, allowing AI models to interact with JWT functionality through a standardized protocol.

# Start MCP server (communicates via stdio)
jwt-hack mcp

The MCP server exposes the following tools:

ToolDescriptionParameters
decodeDecode JWT tokens token (string)
encodeEncode JSON to JWT json (string), secret (optional), algorithm (default: HS256), no_signature (boolean)
verifyVerify JWT signatures token (string), secret (optional), validate_exp (boolean)
crackCrack JWT tokens token (string), mode (dict/brute), chars (string), max (number)
payloadGenerate attack payloads token (string), target (string), jwk_attack (optional), jwk_protocol (default: https)

Example MCP Usage

The MCP server is designed to be used by AI models and MCP clients. Each tool accepts JSON parameters and returns structured responses.

Decode Tool:

{
  "name": "decode",
  "arguments": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Encode Tool:

{
  "name": "encode",
  "arguments": {
    "json": "{\"sub\":\"1234\",\"name\":\"test\"}",
    "secret": "mysecret",
    "algorithm": "HS256"
  }
}

MCP Client Integration Examples

You can connect jwt-hack’s MCP server to popular MCP-enabled clients. Make sure the jwt-hack binary is on your system and accessible by the client.

VSCode

{
  "servers": {
    "jwt-hack": {
      "type": "stdio",
      "command": "jwt-hack",
      "args": [
        "mcp"
      ]
    }
  },
  "inputs": []
}

Claude Desktop

{
  "mcpServers": {
    "jwt-hack": {
      "command": "jwt-hack",
      "args": ["mcp"],
      "env": {}
    }
  }
}

DEFLATE Compression Support

DEFLATE Compression Support The jwt-hack toolkit supports DEFLATE compression for JWTs.

  • Use the --compress option with encode to generate compressed JWTs.
  • The decode and crack modes automatically detect and handle compressed JWTs.

Contribute

Urx is open-source project and made it with ❤️ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.