← Back
Security Tool
Decode, inspect, and analyze JSON Web Tokens
jwt auth web-security
JWT Token
Samples:
Decode
Vulnerabilities
Verify & Forge
Brute Force
🔐

No Token Loaded

Paste a JWT and click Analyze to decode it.

🛡️

No Token Analyzed

Paste a JWT and click Analyze to scan for vulnerabilities.

Signature Verifier
Verify an HMAC JWT signature against a known secret (HS256/384/512).
alg:none Attack
Strip the signature entirely — exploits servers that accept unsigned tokens.
Generates a forged token using the alg:none bypass. The signature is removed. Vulnerable servers accept this as valid without any secret.
Token Forge
Modify the payload and re-sign with a known secret to create a forged JWT.
Weak Secret Brute Force
Test the token's HMAC signature against a list of common weak secrets (HS256/384/512 only).
0 secrets loaded
About Weak JWT Secrets

HMAC JWTs (HS256/384/512) are only as secure as their secret. Many apps ship with:

  • Framework defaults (secret, jwt_secret)
  • Common passwords (password, 123456)
  • The app name or domain as the secret
  • Secrets committed to public repos
  • Short / low-entropy strings

If the secret is found, an attacker can forge any claims — including admin:true or arbitrary user IDs.

For large wordlists, use:
hashcat -a 0 -m 16500 <jwt> wordlist.txt