README.md•1.88 kB
# JWT Auditor MCP Server
This project provides an MCP server exposing advanced JWT auditing tools, inspired by [JWTAuditor](https://github.com/dr34mhacks/jwtauditor). It is designed for use with Claude Desktop, Cursor, and other MCP-compatible clients.
## Features
- **JWT Decoder**: Decodes JWT header, payload, and signature.
- **JWT Analyzer**: Detects vulnerabilities (alg=none, weak algs, missing claims, header injection, sensitive data, etc.).
- **JWT Secret Bruteforcer**: Attempts to brute-force HS256/HS384/HS512 secrets using a wordlist.
- **JWT Generator/Editor**: Create and sign JWTs (HS* and RS* support).
## Quickstart
### 1. Install dependencies (using uv)
```sh
uv pip install -r pyproject.toml
```
### 2. Run the MCP server
```sh
uv run server.py
```
### 3. Configure Claude Desktop (or Cursor)
Add the following to your Claude Desktop `mcpServers.json` (or merge into your config):
```json
{
"mcpServers": {
"JWT Auditor MCP": {
"type": "stdio",
"command": "uv",
"args": ["run", "server.py"],
"cwd": "/Users/haji/mcp-servers/jwtAuditor-Mcp"
}
}
}
```
- Make sure the `cwd` path matches your project directory.
- This will launch the server in the correct environment using `uv`.
### 4. Example mcp.json for MCP Inspector or other clients
If you want to use the MCP Inspector or another tool that requires an `mcp.json` config, use:
```json
{
"mcpServers": {
"jwt-auditor": {
"type": "stdio",
"command": "uv",
"args": ["run", "server.py"],
"cwd": "/Users/haji/mcp-servers/jwtAuditor-Mcp"
}
}
}
```
## Security
- All JWT operations are performed locally.
- No tokens or secrets are sent to any external service.
## Credits
- Inspired by [JWTAuditor](https://github.com/dr34mhacks/jwtauditor)
- Built with [MCP Python SDK](https://github.com/modelcontextprotocol/python-sdk)
---