Automic VaultAutomic Vault

brew

Install jwt-hack with Homebrew, Nix

JSON Web Token Hack Toolkit. Version 2.6.0 via Homebrew; verified 2026-06-05.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install jwt-hack

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#jwt-hack

nixpkgs package indexes · pkgs/by-name/jw/jwt-hack/package.nix · source: api.github.com

overview

Package summary

JSON Web Token Hack Toolkit

Commands and aliases

  • jwt-hack

history

Project history and usage

jwt-hack is a JSON Web Token security-testing toolkit for encoding, decoding, verifying, cracking weak secrets, generating attack payloads, and scanning tokens for common JWT mistakes.

Project history

The maintainer, Hahwul, described creating jwt-hack in October 2020 as a Go tool born from a personal need to make JWT security testing more convenient, initially centered on cracking JWT signing secrets with wordlists or brute force. GitHub release metadata records v1.0.0 on August 31, 2020, which lines up with that early public project period.

On June 6, 2025, the maintainer announced jwt-hack v2 as a complete Rust rewrite. The stated motivations were better stability through Rust's ownership model and improved performance; later README material shows the Rust-era tool expanding into JWE support, DEFLATE-compressed JWT handling, scan mode, API server mode, Docker images, Snapcraft, and MCP server mode.

Adoption history

jwt-hack's adoption is mainly within offensive-security, bug-bounty, and application-security workflows rather than general JWT debugging. Its README documents installation through Cargo, Homebrew, Snapcraft, source builds, GHCR, and Docker Hub, which makes it portable across local labs, CI jobs, and containerized testing environments.

How it is used

Typical use cases include decoding suspicious tokens, generating algorithm-confusion or header-based payloads, testing weak HMAC secrets with dictionaries or brute force, validating signatures, and running a scan that checks for weak secrets, missing claims, `none` algorithm acceptance, algorithm confusion, and header injection vectors.

Why package nerds care

For package nerds, jwt-hack is the security-tool counterpart to simpler JWT viewers: it packages practical JWT attack primitives into a single installable CLI and shows the 2020s shift from Go security utilities toward Rust rewrites where maintainers care about memory safety and distributable binaries.

Timeline

  • 2020-08-31: v1.0.0 GitHub release published.
  • 2020-10: Maintainer describes the original Go tool as created for convenient JWT security testing.
  • 2025-06-06: v2.0.0 released and announced as a complete Rust rewrite.
  • 2025-08-29: v2.2.0 release line adds JWE and EdDSA-oriented functionality in the Rust era.
  • 2026-06-05: v2.6.0 GitHub release published.

Related projects

  • jwt-hack relates to JWT.io and jwt-cli for inspection and encoding, but it is closer in spirit to web-application security tools because it includes cracking, payload generation, and vulnerability scanning.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.
  • Build metadata lists 2 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
jwt-hackcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.6.0
manager updated2026-06-05
local dataok
upstreamcurrent
latest detectedv2.6.0

https://github.com/hahwul/jwt-hack

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:jwt-hack
Version2.6.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/jwt-hack
Homepagehttps://github.com/hahwul/jwt-hack
Repositoryhttps://github.com/hahwul/jwt-hack
Upstream docshttps://github.com/hahwul/jwt-hack
LicenseMIT
Source archivehttps://github.com/hahwul/jwt-hack/archive/refs/tags/v2.6.0.tar.gz
Last updated2026-06-05T20:50:17Z
Pulseupdated
Dependenciesopenssl@4
Build dependenciespkgconf, rust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namejwt-hack
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

jwt-hack

nix profile install nixpkgs#jwt-hack
  • normalized package name match
  • Matched by: Jwt Hack
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/jw/jwt-hack/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment