# Install jwt-hack with Homebrew, Nix

JSON Web Token Hack Toolkit. Version 2.6.0 via Homebrew; verified 2026-06-05.

## Install

```sh
sudo av install brew:jwt-hack
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install jwt-hack
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#jwt-hack
```

  Evidence: nixpkgs package indexes: pkgs/by-name/jw/jwt-hack/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:jwt-hack
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/jwt-hack>
- **Version:** 2.6.0
- **Source summary:** JSON Web Token Hack Toolkit
- **Homepage:** <https://github.com/hahwul/jwt-hack>
- **Repository:** <https://github.com/hahwul/jwt-hack>
- **Upstream docs:** <https://github.com/hahwul/jwt-hack>
- **License:** MIT
- **Source archive:** <https://github.com/hahwul/jwt-hack/archive/refs/tags/v2.6.0.tar.gz>
- **Last updated:** 2026-06-05T20:50:17Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- jwt-hack (cli)
- jwt-hack (alias)

## Dependencies

- openssl@4

## Build dependencies

- pkgconf
- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.6.0
- Package-manager updated: 2026-06-05
- Local data: ok
- Upstream repository: https://github.com/hahwul/jwt-hack
- Upstream latest detected: v2.6.0 (current)
## Project history and usage

jwt-hack is a JSON Web Token security-testing toolkit for encoding, decoding, verifying, cracking weak secrets, generating attack payloads, and scanning tokens for common JWT mistakes.

### Project history

The maintainer, Hahwul, described creating jwt-hack in October 2020 as a Go tool born from a personal need to make JWT security testing more convenient, initially centered on cracking JWT signing secrets with wordlists or brute force. GitHub release metadata records v1.0.0 on August 31, 2020, which lines up with that early public project period.

On June 6, 2025, the maintainer announced jwt-hack v2 as a complete Rust rewrite. The stated motivations were better stability through Rust's ownership model and improved performance; later README material shows the Rust-era tool expanding into JWE support, DEFLATE-compressed JWT handling, scan mode, API server mode, Docker images, Snapcraft, and MCP server mode.

### Adoption history

jwt-hack's adoption is mainly within offensive-security, bug-bounty, and application-security workflows rather than general JWT debugging. Its README documents installation through Cargo, Homebrew, Snapcraft, source builds, GHCR, and Docker Hub, which makes it portable across local labs, CI jobs, and containerized testing environments.

### How it is used

Typical use cases include decoding suspicious tokens, generating algorithm-confusion or header-based payloads, testing weak HMAC secrets with dictionaries or brute force, validating signatures, and running a scan that checks for weak secrets, missing claims, `none` algorithm acceptance, algorithm confusion, and header injection vectors.

### Why package nerds care

For package nerds, jwt-hack is the security-tool counterpart to simpler JWT viewers: it packages practical JWT attack primitives into a single installable CLI and shows the 2020s shift from Go security utilities toward Rust rewrites where maintainers care about memory safety and distributable binaries.

### Timeline

- 2020-08-31: v1.0.0 GitHub release published.
- 2020-10: Maintainer describes the original Go tool as created for convenient JWT security testing.
- 2025-06-06: v2.0.0 released and announced as a complete Rust rewrite.
- 2025-08-29: v2.2.0 release line adds JWE and EdDSA-oriented functionality in the Rust era.
- 2026-06-05: v2.6.0 GitHub release published.

### Related projects

- jwt-hack relates to JWT.io and jwt-cli for inspection and encoding, but it is closer in spirit to web-application security tools because it includes cracking, payload generation, and vulnerability scanning.

### Sources

- <https://crates.io/crates/jwt-hack>
- <https://github.com/hahwul/jwt-hack>
- <https://github.com/hahwul/jwt-hack/releases>
- <https://www.hahwul.com/blog/2025/jwt-hack-v2/>
- <https://www.rfc-editor.org/rfc/rfc7519>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** jwt-hack
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - jwt-hack: normalized package name match | nixpkgs package indexes: pkgs/by-name/jw/jwt-hack/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Text processing packages](https://www.automicvault.com/pkg/text-processing-tools/) - Matched text, document, or structured-data processing metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [openssl@4](https://www.automicvault.com/pkg/brew/openssl-4/) - Runtime dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [jwt-cli](https://www.automicvault.com/pkg/brew/jwt-cli/) - Shares av.db curated category or tags: cli, jwt, security, token.
- [sqlmap](https://www.automicvault.com/pkg/brew/sqlmap/) - Shares av.db curated category or tags: cli, security, testing.
- [afl++](https://www.automicvault.com/pkg/brew/afl/) - Shares av.db curated category or tags: cli, security, testing.
- [echidna](https://www.automicvault.com/pkg/brew/echidna/) - Shares av.db curated category or tags: cli, security, testing.
- [forbidden](https://www.automicvault.com/pkg/brew/forbidden/) - Shares av.db curated category or tags: cli, pentesting, security.
- [ldeep](https://www.automicvault.com/pkg/brew/ldeep/) - Shares av.db curated category or tags: cli, pentesting, security.
- [legba](https://www.automicvault.com/pkg/brew/legba/) - Shares av.db curated category or tags: cli, security, testing.
- [slowhttptest](https://www.automicvault.com/pkg/brew/slowhttptest/) - Shares av.db curated category or tags: cli, security, testing.
- [jose](https://www.automicvault.com/pkg/brew/jose/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, jwt, openssl, openssl-4, security.

## Combined YAML source

View the package source record on GitHub. [combined/jwt-hack.yml](https://github.com/automic-vault/db/blob/main/combined/jwt-hack.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
