Encode and decode
Create and inspect JWT and JWE tokens, including DEFLATE-compressed payloads.
All projects
JWT Toolkit · Rust
JWT-HACK
A high-performance toolkit to test, analyze and attack JSON Web Tokens — encode, decode, verify, crack and scan from one fast Rust CLI.
Rust
MIT
GitHub stars
8
Modes
5
Install methods
MIT
License
Capabilities
Everything you need to break a JWT
Originally written in Go (2020) and rewritten in Rust for v2 (2025) — jwt-hack pairs everyday token tooling with an offensive toolkit.
Secret cracking
Recover weak signing secrets with dictionary and brute-force attacks.
Signature verify
Validate HMAC and RSA/EC signatures against a secret or key.
Vulnerability scan
Automated checks for none-algorithm, algorithm confusion, kid injection and more.
Attack payloads
Generate none-algorithm, algorithm-confusion and kid-injection payloads on demand.
API and MCP servers
A REST API mode plus a Model Context Protocol server for AI-driven tooling.
Quickstart
Decode, crack and scan in one CLI
$ cargo install jwt-hack
# decode a token
$ jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.x
[*] alg=HS256 sub=1234
# crack a weak signing secret
$ jwt-hack crack -w wordlist.txt TOKEN
[+] found secret: password123
# scan for common JWT flaws
$ jwt-hack scan TOKEN
Illustrative output.