Skip to content
JWTForge

The attacker-minded alternative to jwt.io

Forge, audit & break JSON Web Tokens — all in your browser

A privacy-first JWT security toolkit for pentesters. Decode and verify, surface vulnerability signals, and generate attack tokens with ready-to-run artifacts. Your token, secret, and keys never leave the page.

Start decoding →Generate attack tokens
No backend No tracking WebCrypto only

Six attack generators, zero requests sent

nonealg:none family
RS→HSalgorithm confusion
kidheader injection
jwk/jkukey injection
HS256secret brute-force
claimstampering

Decode

Live header / payload / signature breakdown, human-readable claims with expiry badges, and signature verification with your secret, public key, or a JWKS URL.

Open Decode

Audit

Heuristic security signals — alg:none, weak algorithms, kid/jku/x5u injection surface, sensitive claims — each framed honestly as a hypothesis to verify, with how to test it.

Open Audit

Attack

The differentiator. Generate malicious token variants and ready-to-run curl, .http, Burp, nuclei and jwt_tool artifacts. Includes an in-browser HS256 brute-forcer.

Open Attack

Honest by design

A purely client-side tool cannot tell you whether a server is actually vulnerable — that is a server-side property. JWTForge never claims a token “is vulnerable.” The Audit tab surfaces signals to review; the Attack tab gives you the artifacts to prove it yourself, against systems you are authorized to test.

How this works & privacy →

Frequently asked questions

Does JWTForge send my token, secret, or keys to a server?+

No. JWTForge is 100% client-side. Decoding, signature verification, key generation, signing, and the HS256 brute-force all run in your browser via the WebCrypto API. You can confirm it by opening your browser's DevTools Network tab — no request carries your data. The only optional outbound request is the JWKS-URL fetch on the Decode tab, which sends only the URL you type, never your token.

What is a JWT security scanner and how is JWTForge different from a decoder?+

A JWT security scanner looks beyond decoding to flag implementation weaknesses an attacker could exploit — things like the alg:none bypass, weak HMAC secrets, RS256-to-HS256 algorithm confusion, and kid/jku/jwk header injection. JWTForge's Audit tab surfaces those signals, and its Attack tab generates the forged tokens and ready-to-run artifacts you use to actually test them.

How do I test a JWT for the alg:none vulnerability?+

Open the Attack tab and use the alg:none generator. It strips the signature and produces none, None, nOnE and NONE header variants to defeat naive case-sensitive filters, then exports curl, .http, Burp, nuclei and jwt_tool artifacts. Send them to a system you are authorized to test; if the server accepts an unsigned token, authentication is bypassable.

What is JWT algorithm confusion (RS256 to HS256)?+

If a server picks the verification algorithm from the token header, an attacker can switch RS256 to HS256 and sign the token with the server's RSA public key — which is not secret — used as the HMAC key. JWTForge's algorithm-confusion generator re-signs your token this way so you can check whether the server trusts the header's algorithm.

Can I brute-force a JWT secret in the browser?+

Yes. The Attack tab includes an HS256/384/512 dictionary brute-forcer that runs in a Web Worker so the UI never blocks. It ships with a wordlist of common leaked secrets and accepts your own. If a weak secret is recovered, you can forge tokens the server will accept. It is entirely client-side — nothing is uploaded.

Is JWTForge a jwt_tool alternative I can use online?+

JWTForge covers much of the same JWT attack surface as jwt_tool — alg:none, algorithm confusion, kid/jwk/jku injection, claim tampering and secret brute-force — directly in the browser with no install. For each attack it also emits the equivalent jwt_tool command, so you can pivot to the CLI when you want to fire requests at a target yourself.

Does the Audit tab confirm that my server is vulnerable?+

No, and it never claims to. Whether a server accepts alg:none, mishandles algorithm selection, or uses a weak secret is a server-side property that cannot be observed from the token alone. Every Audit signal is a hypothesis to verify, paired with how to test it. The proof comes from running the matching Attack artifact against a system you are authorized to test.