jwt_tool
jwt_tool jwt_tool is the Swiss Army knife for JWT manipulation, decoding, signing, and tampering with alg-none exploits or key confusion attacks right from your terminal. Fire up its Python script to inspect payloads, brute RS256 with public keys, or forge tokens for auth bypass tests in seconds. Open-source and feature-packed, it's the essential debugger for pentesters dissecting JWT vulns without the web wrapper.
Explore →jwt-cli
jwt-cli jwt-cli is the lightweight Rust CLI for encoding, decoding, and verifying JWTs with HMAC/RS/EC support, perfect for scripting token inspections in CI or shell workflows. Pipe in tokens for quick dumps of claims and headers, validating sigs against keys without GUI distractions. Open-source and blazing-fast, it's the command-line confidant for devs auditing JWT flows on the fly.
Explore →jwt-decode
jwt-decode jwt-decode is the minimalist JS library for client-side token decoding, stripping headers and payloads without verification to peek at claims in browsers or Node scripts. Import it for quick inspections during web app tests, chaining with custom validators for deeper probes. Open-source from Auth0, it's the no-fuss extractor for frontend hackers unraveling embedded secrets.
Explore →PyJWT
PyJWT PyJWT is the robust Python toolkit for creating, signing, and decoding JWTs with full alg support, including JWS/JWE for encrypted payloads in secure API testing. Use its encode/decode functions to forge or inspect tokens, integrating seamlessly into scripts for auth fuzzing. Open-source and widely-adopted, it's the Python powerhouse for analysts crafting custom JWT experiments.
Explore →jwt-cracker
jwt-cracker jwt-cracker is the brute-force beast for offline cracking of weak JWT keys, targeting HS256/384/512 with wordlists or incremental attacks on your local machine. Feed it a token and dict, watching it grind through possibilities with progress bars for feasible breaks. Open-source and GPU-optional, it's the key-crusher for pentesters exploiting poor secrets in captured tokens.
Explore →burp-jwt-support
burp-jwt-support burp-jwt-support is the Burp extension that supercharges JWT handling, decoding, editing, and signing tokens inline during proxy sessions for seamless vuln testing. Install via BApp Store, right-click requests to manipulate algs or claims, spotting none-alg swaps effortlessly. Open-source from PortSwigger, it's the proxy plugin for web hackers debugging JWTs in the wild.
Explore →jwt-simple
jwt-simple jwt-simple is the Node.js minimalist for symmetric JWT ops, encoding/decoding with HMAC keys for quick token prototyping or verification in serverless scripts. Call its sign/verify methods with secrets, handling expiration checks without bloat. Open-source and lean, it's the script-friendly signer for devs rolling custom auth without full frameworks.
Explore →jwt-validate
jwt-validate jwt-validate is the focused verifier that checks JWT structure, sigs, and claims against rules, flagging exp/iss mismatches or weak algs in your validation chains. Integrate its Go lib for API guards, running tests on inbound tokens with custom policies. Open-source and rule-rigid, it's the gatekeeper for engineers hardening JWT endpoints against common slips.
Explore →rust-jwt
rust-jwt rust-jwt is the safe Rust crate for parsing and validating JWTs with strong typing, preventing common errors like alg confusion in high-performance backends. Use its decode functions with keys for claim extractions, building tamper-proof flows. Open-source and memory-safe, it's the fortified forge for systems programmers crafting resilient token handlers.
Explore →jwt-fuzzer