Skip to content

jwt generate

Parse an existing JWT and re-sign it with a new algorithm and key. The original claims are preserved. Useful for manually crafting tokens to test JWT vulnerability mitigations.

Terminal window
vulnapi jwt generate <TOKEN> --alg <alg> --secret <secret>
FlagDescription
--alg <algorithm>Signing algorithm (required): HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, NONE
--secret <secret>Secret key to sign the token (required for HMAC algorithms)
--aud <audience>Audience claim (aud) to set in the token

Re-sign with a different HMAC secret

Terminal window
vulnapi jwt generate eyJhbGciOiJIUzI1NiI... --alg HS256 --secret newsecret

Strip the signature (alg=none)

Terminal window
vulnapi jwt generate eyJhbGciOiJIUzI1NiI... --alg NONE

Re-sign with a custom audience

Terminal window
vulnapi jwt generate eyJhbGciOiJIUzI1NiI... --alg HS256 --secret mysecret --aud myservice

The signed token string is printed to stdout.

CodeMeaning
0Token generated successfully
1Invalid input token, unknown algorithm, or missing required flags