JWT Forge forge · decode · attack

← All Tools
● Header HS256
● Payload
● Claims
● Signature
Attack Presets
kid:/dev/null — Sets "kid": "../../../dev/null" in the header and signs with an empty string secret. The server reads /dev/null (0 bytes) as the key, so HMAC verification passes.
alg:none — Classic unsigned token bypass.
Empty key — Signs with "" as the HMAC secret.
Encoded Token
Token Anatomy
■ Header ■ Payload ■ Signature
..
Waiting for input
⚡ Attack Tokens
⚠ For authorized testing and educational use only. Do not use against systems you do not own or have explicit permission to test.