JSON Web Token Hack Toolkit

A high-performance toolkit for testing, analyzing and attacking JSON Web Tokens.

cargo install jwt-hack

brew install jwt-hack

sudo snap install jwt-hack

git clone https://github.com/hahwul/jwt-hack
cd jwt-hack
cargo install --path .

docker pull ghcr.io/hahwul/jwt-hack:latest

docker pull hahwul/jwt-hack:v2.2.0

You can decode both regular and DEFLATE-compressed JWTs. The tool will automatically detect and decompress compressed tokens.

jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED
jwt-hack decode COMPRESSED_JWT_TOKEN

Decode JWE (JSON Web Encryption) tokens to analyze their structure. The tool automatically detects JWE format (5 parts) and displays the encryption details.

# Decode JWE token structure
jwt-hack decode eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..ZHVtbXlfaXZfMTIzNDU2.eyJ0ZXN0IjoiandlIn0.ZHVtbXlfdGFn

# Shows JWE header, encrypted key, IV, ciphertext, and authentication tag

jwt-hack encode '{"sub":"1234"}' --secret=your-secret

You can use the --compress option to apply DEFLATE compression to the JWT payload.

jwt-hack encode '{"sub":"1234"}' --secret=your-secret --compress

ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key jwt-hack encode '{"a":"z"}' --private-key RS256.key --algorithm=RS256

### Encode a JWE

Create JWE (JSON Web Encryption) tokens for testing encrypted JWT scenarios.

```bash
# Basic JWE encoding
jwt-hack encode '{"sub":"1234", "data":"encrypted"}' --jwe --secret=your-secret

# JWE tokens are encrypted and can only be decrypted with the proper key
jwt-hack encode '{"sensitive":"data"}' --jwe

Checks if a JWT's signature is valid using the provided secret or key.

# With Secret (HMAC algorithms like HS256, HS384, HS512)
jwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret

# With Private Key (for asymmetric algorithms like RS256, ES256, EdDSA)
jwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key

Dictionary and brute force attacks also support JWTs compressed with DEFLATE.

# Dictionary attack
jwt-hack crack -w wordlist.txt JWT_TOKEN
jwt-hack crack -w wordlist.txt COMPRESSED_JWT_TOKEN

# Bruteforce attack
jwt-hack crack -m brute JWT_TOKEN --max=4
jwt-hack crack -m brute COMPRESSED_JWT_TOKEN --max=4

jwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.com

jwt-hack can run as an MCP server, allowing AI models to interact with JWT functionality through a standardized protocol.

# Start MCP server (communicates via stdio)
jwt-hack mcp

The MCP server exposes the following tools:

The MCP server is designed to be used by AI models and MCP clients. Each tool accepts JSON parameters and returns structured responses.

Decode Tool:

{
  "name": "decode",
  "arguments": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Encode Tool:

{
  "name": "encode",
  "arguments": {
    "json": "{\"sub\":\"1234\",\"name\":\"test\"}",
    "secret": "mysecret",
    "algorithm": "HS256"
  }
}

You can connect jwt-hack’s MCP server to popular MCP-enabled clients. Make sure the jwt-hack binary is on your system and accessible by the client.

VSCode

{
  "servers": {
    "jwt-hack": {
      "type": "stdio",
      "command": "/opt/homebrew/bin/jwt-hack",
      "args": [
        "mcp"
      ]
    }
  },
  "inputs": []
}

Claude Desktop

{
  "mcpServers": {
    "jwt-hack": {
      "command": "/usr/local/bin/jwt-hack",
      "args": ["mcp"],
      "env": {}
    }
  }
}

DEFLATE Compression Support The jwt-hack toolkit supports DEFLATE compression for JWTs.

• Use the --compress option with encode to generate compressed JWTs.
• The decode and crack modes automatically detect and handle compressed JWTs.

Urx is open-source project and made it with ❤️ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.