Awesome Open Source
Awesome Open Source

npm npm Rawsec's CyberSecurity Inventory GitHub stars GitHub license


Simple HS256 JWT token brute force cracker.

Effective only to crack JWT tokens with weak secrets. Recommendation: Use strong long secrets or RS256 tokens.


With npm:

npm install --global jwt-cracker


From command line:

jwt-cracker <token> [<alphabet>] [<maxLength>]


  • token: the full HS256 JWT token string to crack
  • alphabet: the alphabet to use for the brute force (default: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
  • maxLength: the max length of the string generated during the brute force (default: 12)


This script requires Node.js version 6.0.0 or higher


Cracking the default example:

jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6

It takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7).


Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.


Licensed under MIT License. © Luciano Mammino.

Alternatives To Jwt Cracker
Select To Compare

Alternative Project Comparisons
Related Awesome Lists
Top Programming Languages

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Javascript (1,119,969
Command Line (131,897
Token (29,461
Secret (12,067
Jwt (10,163
Brute (1,531
Cracker (1,427
Brute Force (1,411
Crack (1,130
Brute Force Attacks (159
Alphabet (75
Jwt Cracker (4