macOS
brew install jwt-hacklocal Homebrew formula metadata
brew
JSON Web Token Hack Toolkit. Version 2.6.0 via Homebrew; verified 2026-06-05.
install
brew install jwt-hacklocal Homebrew formula metadata
nix profile install nixpkgs#jwt-hacknixpkgs package indexes · pkgs/by-name/jw/jwt-hack/package.nix · source: api.github.com
overview
JSON Web Token Hack Toolkit
history
jwt-hack is a JSON Web Token security-testing toolkit for encoding, decoding, verifying, cracking weak secrets, generating attack payloads, and scanning tokens for common JWT mistakes.
The maintainer, Hahwul, described creating jwt-hack in October 2020 as a Go tool born from a personal need to make JWT security testing more convenient, initially centered on cracking JWT signing secrets with wordlists or brute force. GitHub release metadata records v1.0.0 on August 31, 2020, which lines up with that early public project period.
On June 6, 2025, the maintainer announced jwt-hack v2 as a complete Rust rewrite. The stated motivations were better stability through Rust's ownership model and improved performance; later README material shows the Rust-era tool expanding into JWE support, DEFLATE-compressed JWT handling, scan mode, API server mode, Docker images, Snapcraft, and MCP server mode.
jwt-hack's adoption is mainly within offensive-security, bug-bounty, and application-security workflows rather than general JWT debugging. Its README documents installation through Cargo, Homebrew, Snapcraft, source builds, GHCR, and Docker Hub, which makes it portable across local labs, CI jobs, and containerized testing environments.
Typical use cases include decoding suspicious tokens, generating algorithm-confusion or header-based payloads, testing weak HMAC secrets with dictionaries or brute force, validating signatures, and running a scan that checks for weak secrets, missing claims, `none` algorithm acceptance, algorithm confusion, and header injection vectors.
For package nerds, jwt-hack is the security-tool counterpart to simpler JWT viewers: it packages practical JWT attack primitives into a single installable CLI and shows the 2020s shift from Go security utilities toward Rust rewrites where maintainers care about memory safety and distributable binaries.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
jwt-hack | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/hahwul/jwt-hack
install metadata
| Package key | brew:jwt-hack |
|---|---|
| Version | 2.6.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/jwt-hack |
| Homepage | https://github.com/hahwul/jwt-hack |
| Repository | https://github.com/hahwul/jwt-hack |
| Upstream docs | https://github.com/hahwul/jwt-hack |
| License | MIT |
| Source archive | https://github.com/hahwul/jwt-hack/archive/refs/tags/v2.6.0.tar.gz |
| Last updated | 2026-06-05T20:50:17Z |
| Pulse | updated |
| Dependencies | openssl@4 |
| Build dependencies | pkgconf, rust |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | jwt-hack |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
jwt-hack
nix profile install nixpkgs#jwt-hacksource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.