JWT vulnerability scanner
Static heuristic signals from the token alone. These are hypotheses to verify, not confirmed vulnerabilities — a client-side tool cannot observe how the server behaves.
Pasted tokens stay in your browser (saved to localStorage so it persists across tabs). Nothing is sent anywhere.
Try an example:|
How to read this: every card below is a signal to investigate. JWTForge cannot confirm a server is vulnerable — it can only flag what is worth testing. Each card links to the Attack-tab generator that proves (or disproves) it against a system you are authorized to test.
Paste a token to see heuristic security signals.