
jwt .io shows you the token. it won't tell you how to break it.
so i built jwtforge.
it audits JWTs for vulns (alg:none, algorithm confusion, kid/jwk injection) and forges working attack tokens with curl/burp/nuclei/jwt_tool ready to run.
all in your browser. nothing leaves your tab.
jwtforge.com
English
