Loading JWT Toolkit...
Decode, sign, verify, and run offline JWT attacks (alg:none, algorithm confusion, kid/jwk injection, brute-force). Everything runs in your browser.
Decode, sign, verify, and attack JSON Web Tokens in your browser - alg:none, algorithm confusion, kid/jwk injection, brute-force, and a security audit. Nothing is uploaded.
JSON Web Tokens (JWTs) are everywhere in modern auth, and they are a frequent source of security bugs. This toolkit lets developers, learners, and security testers work with JWTs end to end - all locally in the browser, so tokens and keys never leave your device. It combines a decoder, a signer/verifier (HS256/384/512, RS256/384/512, ES256/384/512), an offline attack generator, and a security auditor in one place. Inspired by jwtforge.
Input:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.…
Output:
{ "alg": "HS256" } · { "sub": "admin" } · signature validIs my token or key sent anywhere?
No. Decoding, signing, verifying, attacks, and auditing all run in your browser with the Web Crypto API. Tokens and keys never leave your device.
Which algorithms are supported?
HS256/384/512 (HMAC), RS256/384/512 (RSA), and ES256/384/512 (ECDSA) for signing and verification, plus the 'none' algorithm for testing.
What is the algorithm-confusion attack?
If a server verifies RS256 tokens but can be tricked into treating the token as HS256, an attacker can sign a forged token using the server's PUBLIC key as the HMAC secret. The tool generates that token from a public-key PEM you provide.
Can it crack a JWT secret?
For HMAC (HS*) tokens it can brute-force the signing secret against a wordlist entirely in your browser. It will not find strong, random secrets - that is the point of using them.
Is it legal to use the attack features?
The attacks only generate tokens locally - they never contact any server. Only use generated tokens against applications you own or are explicitly authorized to test.