Skip to content

Get Started

Decode

Inspect any JWT header and claims without needing the signing key.

Verify

Validate signatures against an HMAC secret, a PEM key, or a JWKS endpoint.

Create & sign

Mint new tokens or re-sign existing ones with a different algorithm or key.

Security testing

Probe live servers for JWT vulnerabilities or generate exploit tokens for manual testing.

Terminal window
# Install
go install github.com/cerberauth/jwtop@latest
# Decode a token
jwtop decode $TOKEN
# Verify with an HMAC secret
jwtop verify $TOKEN --secret mysecret
# Probe a server for JWT vulnerabilities
jwtop crack $TOKEN --url https://api.example.com/protected