$loading...
jwt_tool is the go-to command-line toolkit for JWT recon and attacks — testing for the none algorithm, RS256→HS256 key confusion, signature stripping, and dictionary-cracking the HMAC secret. Payload Playground is the browser-side companion: paste a token to decode every claim, flip the algorithm, edit the payload, re-sign with a known or empty key, and copy the tampered JWT — all client-side, no install, with the full attack reference one tab away.
Different tools, different jobs: jwt_tool is a Python CLI that runs scan, exploit, and crack modes against a token (and, with a target URL, replays the tampered token for you). Payload Playground doesn't send requests — it's the manual workbench: decode and inspect the header and claims, force alg:none, swap RS256 to HS256 and re-sign with the public key, tamper a claim and re-sign with a cracked or empty secret, then hand the finished token to your proxy or to jwt_tool. Use jwt_tool to enumerate and automate; use PP to understand a token and craft an exact attack payload by hand.
jwt_tool wins at
Payload Playground wins at
Real pentest tasks — showing where Payload Playground and jwt_tool each excel.
Decode a captured token and read the claims
PP: JWT Decoder & Builder
payloadplayground.com/tools/jwt-decoderjwt_tool: Decode mode
Forge an alg:none / unsigned token
PP: Set alg to none, strip signature
payloadplayground.com/tools/jwt-decoderjwt_tool: Exploit mode (-X a)
Run RS256 → HS256 key confusion
PP: Re-sign with the public key
payloadplayground.com/generators/jwtjwt_tool: Exploit mode (-X k)
Tamper a claim and re-sign
PP: Edit payload, re-sign by hand
payloadplayground.com/tools/jwt-decoderjwt_tool: Tamper mode (-T)
Crack the HMAC secret
PP: Exports hashcat/John command
payloadplayground.com/tools/jwt-decoderjwt_tool: Crack mode (-C -d)
Replay the tampered token at a target
PP: Not a request sender
jwt_tool: Built-in replay (-t)
The payload-playground CLI is pipe-friendly — output feeds directly into jwt_tool and other tools.
Decode a token, then hand it to jwt_tool to scan
payload-playground jwt decode "$JWT" | jwt_tool -Craft an alg:none token in PP, then replay it with jwt_tool
payload-playground jwt forge --alg none --claim 'admin=true' | xargs -I{} jwt_tool -t https://target {}| Feature | Payload Playground | jwt_tool |
|---|---|---|
| Zero install — runs in browser | ||
| Decode & inspect every claim | ||
| Build & re-sign a tampered token | Visual builder | CLI flags |
| alg:none / signature stripping | ||
| RS256 → HS256 key confusion | ||
| Automated scan of all attacks | Scan mode (-M) | |
| Dictionary-crack the HMAC secret | Exports crack command | |
| Replay tampered token at a target | Built-in (-t) | |
| 100% client-side — token never leaves device | Local tool | |
| JWT attacks cheat sheet & guide | 97 cheat sheets + guides |
Each of these fills a gap jwt_tool doesn't cover — payload crafting, encoding, and manual exploitation.
JWT Decoder & Builder
Decode, build, verify, and attack JWTs — none, alg confusion, tampering.
JWT Payloads Generator
Create and sign attack tokens across algorithms, including 'none'.
OAuth / OIDC Attack Wizard
Test the OAuth and OIDC flows that issue and consume your JWTs.
Base64 Encoder / Decoder
Decode JWT segments by hand — URL-safe Base64 with security context.
JWT Attacks Cheat Sheet
none, key confusion, kid injection, jku/x5u, and secret cracking.
How to Test for JWT Vulnerabilities
A step-by-step walkthrough of every JWT attack, start to finish.
Is Payload Playground a replacement for jwt_tool?
No — they do different jobs. jwt_tool is a CLI that scans a token for weaknesses, runs known exploits (none, alg/key confusion, signature stripping), and can replay tampered tokens against a target URL. Payload Playground is a 100% browser-based workbench that decodes, builds, verifies, and tampers JWTs by hand — it never sends a request to a target. Use PP to craft and reason about a token, then run or replay it with jwt_tool or your proxy.
Can I decode and tamper a JWT in Payload Playground without installing anything?
Yes. The JWT Decoder & Builder runs entirely in your browser — paste a token to decode the header, payload, and signature, edit any claim, switch the algorithm (including 'none'), and re-sign with a key you supply. The token never leaves your device, so it's safe to paste session JWTs you wouldn't want a server to log.
Does Payload Playground do alg:none and RS256-to-HS256 key confusion?
Yes. The JWT Decoder & Builder lets you set the algorithm to 'none' and strip the signature, or switch a RS256 token to HS256 and re-sign it using the server's public key as the HMAC secret — the two classic JWT bypasses. The JWT Payloads generator produces ready-made attack tokens for the same scenarios, and the JWT attacks cheat sheet documents the technique step by step.
Can Payload Playground crack a JWT's HMAC secret like jwt_tool?
No — secret cracking is jwt_tool's job (or hashcat -m 16500). PP extracts the JWT into the hashcat/John format and gives you the exact command, but it doesn't run the GPU crack itself. Once jwt_tool or hashcat recovers the secret, paste it back into PP's JWT builder to re-sign a tampered payload.
How do jwt_tool and Payload Playground work together?
A typical flow: (1) Decode the captured token in PP's JWT Decoder & Builder to read the claims and spot the algorithm. (2) Use jwt_tool's scan mode (-M) to enumerate weaknesses, or its crack mode (-C -d) to recover an HMAC secret. (3) Back in PP, force alg:none or swap to HS256, tamper the claim you care about, and re-sign with the empty/cracked/public key. (4) Replay the finished token with jwt_tool -t or your intercepting proxy, keeping the JWT attacks cheat sheet open for reference.
Payload Playground decodes, builds, and tampers the JWT by hand. jwt_tool scans, cracks, and replays it. No install for PP — just open your browser.