ewreaslan/jwttx

This project is a command line toolkit built around JSON Web Tokens, which are the small encoded strings websites and APIs use to prove who you are after you log in. The toolkit is aimed at security engineers and testers who need to look at these tokens, find weaknesses in how they are signed, and reproduce known attacks in controlled environments such as labs or authorised audits. The toolkit groups its work into a set of commands. The parse command decodes the header and payload of a token and annotates what it finds. The summary command produces a prioritised report of the attack surface and suggests next steps. Other commands generate specific attack payloads: none creates variants that drop the signature algorithm, confusion builds tokens that try to trick a server expecting RS256 into accepting HS256, kid and jku-spoof craft headers that point to attacker-controlled keys, and jwk-inject embeds a fresh public key in the header and signs the token with the matching private key. There are also offensive helpers for cracking and forging. The brute command runs a dictionary attack against tokens signed with HMAC, trying every entry in a wordlist as the secret. The forge command re-signs a token with new claims, for example switching a role to admin, once a secret or key is known. Verify checks whether a candidate secret matches a token signature. Installation needs Python 3.10 or newer. After running pip install on the project folder, you call jwt-toolkit with one of the commands. Helpers like gen-keys and gen-jwks create RSA keypairs and JWKS files for setting up test scenarios. The README closes with a responsible use statement: the tools are for authorised testing, research, and training only, not for use against systems without permission.