$loading...
jwt.io is great for decoding and verifying tokens. But pentesters need more — attack templates, key generation, brute force, and fuzzing. Payload Playground turns JWT analysis into JWT exploitation.
| Feature | Payload Playground | jwt.io |
|---|---|---|
| Decode JWT Tokens | ||
| Verify Signatures | ||
| Build Custom Tokens | Manual only | |
| Attack Templates (alg:none, key confusion) | 15+ attacks | |
| Fuzz Tab (parameter manipulation) | ||
| Compare Mode (diff two tokens) | ||
| Weak Secret Brute Force | ||
| RSA Key Pair Generation | ||
| JWKS Generator | ||
| OAuth2/OIDC Claim Templates | ||
| CLI Tool (npm) | ||
| 100% Client-Side |
jwt.io decodes tokens. Payload Playground attacks them. alg:none bypass, RS256-to-HS256 key confusion, JKU/X5U injection, kid path traversal, HMAC weak secret brute force — all one click away.
Four dedicated tabs: Decode, Build, Compare, and Fuzz. Build custom tokens with any claims, diff two tokens side-by-side, or fuzz parameters to find edge cases.
Generate RSA key pairs for forging tokens. Create matching JWKS endpoints for JKU attacks. Export keys in PEM and JWK formats. Everything you need for JWT exploitation.
The CLI includes jwt-decode, jwt-build, jwt-attack, and weak-secret commands. Pipe tokens from your proxy, attack them in your terminal, and forge new ones — all scriptable.
Decode, build, attack, compare, and fuzz JWTs
Common JWT attacks and exploitation techniques
Deep dive into JWT exploitation methodology
Base64url decode JWT parts manually
XSS, SQLi, SSTI, SSRF, and more
jwt-decode, jwt-build, jwt-attack from terminal