Notes App

JWT Token

Edit Header

Edit Payload

Signature

Tip: Leave empty to test if server checks signature at all

Sign Mode: If you have (or guessed) the secret key, sign the token properly.

Secret Key

Note:

Only works with HMAC algorithms (HS256, HS384, HS512)
RSA/ECDSA require private keys (use external tools)
The token above will be updated with the new valid signature

Signature Verification

Secret Key

Brute Force Tips:

Use jwt_tool for automated cracking
Use hashcat mode 16500 for GPU cracking
Try common wordlists: rockyou.txt, common-passwords.txt
Check for weak secrets: company name, default values, etc

Input

Output