Decode
Inspect any JWT header and claims without needing the signing key.
Decode
Inspect any JWT header and claims without needing the signing key.
Verify
Validate signatures against an HMAC secret, a PEM key, or a JWKS endpoint.
Create & sign
Mint new tokens or re-sign existing ones with a different algorithm or key.
Security testing
Probe live servers for JWT vulnerabilities or generate exploit tokens for manual testing.
# Installgo install github.com/cerberauth/jwtop@latest
# Decode a tokenjwtop decode $TOKEN
# Verify with an HMAC secretjwtop verify $TOKEN --secret mysecret
# Probe a server for JWT vulnerabilitiesjwtop crack $TOKEN --url https://api.example.com/protected