JWTop

JWTop is a fast, developer-friendly JWT operations toolkit for the terminal. Decode, verify, create, sign, crack, and exploit JSON Web Tokens with a single CLI.

Features

• Decode and pretty-print any JWT without verifying the signature
• Verify signatures with HMAC secrets, RSA/ECDSA PEM keys, or JWKS endpoints
• Create and sign new tokens with custom claims, expiration, and issuer
• Re-sign existing tokens with a new algorithm or key
• Dictionary-attack weak HMAC secrets with built-in or custom wordlists
• Probe a live server for JWT vulnerabilities and report which exploits succeed

Supported exploit techniques

• alg=none bypass (all capitalisation variants)
• Blank secret and null signature attacks
• HMAC confusion (RSA/ECDSA public key used as HMAC secret)
• kid header injection (SQL injection, path traversal, raw)

Supported algorithms

• HMAC: HS256, HS384, HS512
• RSA: RS256, RS384, RS512
• RSA-PSS: PS256, PS384, PS512
• ECDSA: ES256, ES384, ES512

The exploit and crack commands are intended for authorised security testing, penetration testing, CTF competitions, and educational purposes only. Never test systems you do not own or have explicit written permission to test.

• Documentation: https://www.cerberauth.com/docs/jwtop/
• Source: https://github.com/cerberauth/jwtop