Brute-force HS256, HS384 or HS512 JWT Token from your browser. Using exclusively 100% client-side JavaScript. No installation needed.

Demo :

https://github.com/user-attachments/assets/61c2abd2-5832-433a-bc92-54411db8860e

Made with Vue 3 (TypeScript, 0 dependency) using web workers and a futuristic looking UI.

Contributions are welcome!

Update 04-2025 : The domain has changed from jwt-cracker.online to jwt.cracking.ovh

Features

• [x] HS256, HS384, HS512
• [x] Bruteforcing with custom character set
• [x] Bruteforcing with custom length
• [x] Dictionary attack with a preset of lists
• [ ] Custom dictionary (#1)
• [ ] Timer and other statistics
• [ ] Bruteforcing using webassembly (#2)
• [ ] Notification when finished (#3)

Running locally

Recommended IDE Setup

VSCode + Volar (and disable Vetur) + TypeScript Vue Plugin (Volar).

Type Support for .vue Imports in TS

TypeScript cannot handle type information for .vue imports by default, so we replace the tsc CLI with vue-tsc for type checking. In editors, we need TypeScript Vue Plugin (Volar) to make the TypeScript language service aware of .vue types.

If the standalone TypeScript plugin doesn't feel fast enough to you, Volar has also implemented a Take Over Mode that is more performant. You can enable it by the following steps:

1. Disable the built-in TypeScript Extension
   1. Run Extensions: Show Built-in Extensions from VSCode's command palette
   2. Find TypeScript and JavaScript Language Features, right click and select Disable (Workspace)
2. Reload the VSCode window by running Developer: Reload Window from the command palette.

Customize configuration

See Vite Configuration Reference.

Project Setup

npm install

Compile and Hot-Reload for Development

npm run dev

Type-Check, Compile and Minify for Production

npm run build

Lint with ESLint

npm run lint