Open Source100% Client-SideNo BackendFree Forever

About JWT Arsenal

A toolkit built out of frustration - tired of copy-pasting Python scripts and switching between five different tabs during a JWT pentest. Everything you need, directly in the browser, no setup required.

Why this project exists

JWT vulnerabilities are everywhere - misconfigurations in algorithm handling, key injection, unsigned token acceptance. They show up in bug bounty programs, CTF challenges, and real-world pentests constantly. Yet every time, the workflow is the same: open jwt.io to decode, switch to a Python script to forge, paste the token into Burp, repeat.

JWT Arsenal was built to collapse that entire workflow into one place. You paste a token, tweak the payload, pick an attack, and get a forged token - all without leaving the tab, without installing anything, and without sending your client's tokens to a third-party server.

The Knowledge Base exists because understanding why an attack works matters as much as executing it. Each article covers the cryptographic mechanics, the RFC that defines the behaviour, and the vulnerable code pattern - so you can identify the flaw yourself, not just press a button.

Privacy & security model

This is a static site. There is no server, no API, no database. The entire application is HTML, CSS, and JavaScript served from a CDN. All cryptographic operations run locally via the browser's native Web Crypto API .

✓ No tokens transmitted

JWTs and keys never leave your machine

✓ No analytics tracking

No fingerprinting, no event collection

✓ No accounts required

Nothing to sign up for, ever

✓ No external requests

Zero runtime network calls

You can safely paste real tokens from live engagements. Nothing is logged, cached, or stored anywhere outside of your browser's local memory.

Open source & contributions

JWT Arsenal is fully open source under the MIT license. The code is on GitHub - readable, forkable, improvable. If you spot a bug, want to add a new attack module, or want to contribute a Knowledge Base article, pull requests are welcome.

View on GitHub Report an issue

Tech stack

Next.js 16App Router with static export - no server needed at runtime

TypeScriptStrict mode throughout

joseRFC-compliant JWT / JOSE library for browser cryptography

Web Crypto APINative browser API for RSA, HMAC, and ECDSA operations

Cloudflare PagesGlobal CDN, zero cold starts, free tier with unlimited bandwidth

Research & references

Legal Disclaimer - Read Before Use

JWT Arsenal is intended exclusively for authorized penetration tests, bug bounty programs (within scope), CTF competitions, and security research in lab environments you own.

Using this tool against systems without explicit written authorization is illegal under the CFAA, the Computer Misuse Act, and equivalent laws worldwide. The author accepts no liability for misuse.

Built for the security community - use it responsibly.