JWT Fuzzer

Generate mutated tokens covering common JWT attack vectors, for testing your own verifier.

Base token
Use these against your own systems only. Each mutation targets a specific verifier weakness — a secure implementation should reject all of them.

Algorithm set to "none"

Tests whether the verifier rejects unsigned tokens. A vulnerable server accepts this as fully trusted.

high
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMn0.

Algorithm set to "None" / "NONE"

Case-variant of alg:none — catches verifiers that only check the lowercase string.

high
eyJhbGciOiJOb05lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMn0.

Empty signature

Strips the signature entirely while keeping the algorithm declared.

high
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMn0.

Corrupted signature

Flips the last character of a valid-looking signature. Confirms the verifier actually checks bytes rather than just length.

warn
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMn0.nmm0qepYRjhNji3O-jq8Pvcr7l_me1_bomw4EJucQCA

Privilege escalation payload

Injects common admin/role claims to check if the app trusts unverified payload fields.

warn
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMiwiYWRtaW4iOnRydWUsInJvbGUiOiJhZG1pbiIsImlzQWRtaW4iOnRydWV9.nmm0qepYRjhNji3O-jq8Pvcr7l_me1_bomw4EJucQCU

Expiry extended 10 years

Tests whether an expired or short-lived token can be extended by editing exp without re-signing.

info
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMiwiZXhwIjoyMDk4NjA5NDI4fQ.nmm0qepYRjhNji3O-jq8Pvcr7l_me1_bomw4EJucQCU

exp claim removed

Checks whether the verifier requires an expiration claim or silently accepts tokens without one.

info
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMn0.nmm0qepYRjhNji3O-jq8Pvcr7l_me1_bomw4EJucQCU

kid header injection

Injects a path-traversal-like value into the kid header, a known vector when kid is used to look up keys from disk or a database.

warn
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uLy4uLy4uL2Rldi9udWxsIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMn0.nmm0qepYRjhNji3O-jq8Pvcr7l_me1_bomw4EJucQCU

jku header pointing to attacker host

Sets jku to an external URL to test if the verifier fetches and trusts a remote JWK set without an allowlist.

high
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImprdSI6Imh0dHBzOi8vYXR0YWNrZXIuZXhhbXBsZS9qd2tzLmpzb24ifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTUxNjIzOTAyMn0.nmm0qepYRjhNji3O-jq8Pvcr7l_me1_bomw4EJucQCU

JWT Fuzzer & Security Tester

API endpoints that consume JWTs must handle invalid or malicious tokens gracefully. Our JWT Fuzzer allows you to generate dozens of mutated variations of your token to test your API's security controls, such as stripping the signature, changing the algorithm to `none`, or injecting SQL.

Core Features

  • Algorithm Confusion AttacksGenerate tokens with `alg: "none"` to test if your backend rejects unsigned tokens.
  • Expired TokensEasily generate tokens with an exp claim in the past to verify expiration checks are working.
  • Payload InjectionInject unexpected data types (arrays instead of strings) or SQL payloads to test backend validation resilience.