JWT Fuzzer
Generate mutated tokens covering common JWT attack vectors, for testing your own verifier.
Algorithm set to "none"
Tests whether the verifier rejects unsigned tokens. A vulnerable server accepts this as fully trusted.
Algorithm set to "None" / "NONE"
Case-variant of alg:none — catches verifiers that only check the lowercase string.
Empty signature
Strips the signature entirely while keeping the algorithm declared.
Corrupted signature
Flips the last character of a valid-looking signature. Confirms the verifier actually checks bytes rather than just length.
Privilege escalation payload
Injects common admin/role claims to check if the app trusts unverified payload fields.
Expiry extended 10 years
Tests whether an expired or short-lived token can be extended by editing exp without re-signing.
exp claim removed
Checks whether the verifier requires an expiration claim or silently accepts tokens without one.
kid header injection
Injects a path-traversal-like value into the kid header, a known vector when kid is used to look up keys from disk or a database.
jku header pointing to attacker host
Sets jku to an external URL to test if the verifier fetches and trusts a remote JWK set without an allowlist.
JWT Fuzzer & Security Tester
API endpoints that consume JWTs must handle invalid or malicious tokens gracefully. Our JWT Fuzzer allows you to generate dozens of mutated variations of your token to test your API's security controls, such as stripping the signature, changing the algorithm to `none`, or injecting SQL.
Core Features
- Algorithm Confusion AttacksGenerate tokens with `alg: "none"` to test if your backend rejects unsigned tokens.
- Expired TokensEasily generate tokens with an
expclaim in the past to verify expiration checks are working. - Payload InjectionInject unexpected data types (arrays instead of strings) or SQL payloads to test backend validation resilience.

