JWT Auditor MCP Server

Overview Inspect Schema Related Servers Score Discussions

jwt_bruteforce

Discover vulnerabilities in HS256/HS384/HS512 JWTs by bruteforcing the secret using a common or custom wordlist, enabling secure JWT validation.

Instructions

Bruteforce the secret for HS256/HS384/HS512 JWTs using a common wordlist or a custom one.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`token`	Yes
`wordlist`	No

Implementation Reference

server.py:93-129 (handler)
The jwt_bruteforce tool handler: decorated with @server.tool(), performs brute-force attack on HS* JWT secrets using wordlist or defaults, verifies signature match.
@server.tool() def jwt_bruteforce(token: str, wordlist: Optional[list] = None) -> dict: """Bruteforce the secret for HS256/HS384/HS512 JWTs using a common wordlist or a custom one.""" import hmac import hashlib import base64 import json import time # Default wordlist (short for demo; in production, use a large list) common_secrets = [ 'secret', 'password', '123456', 'admin', 'jwtsecret', 'letmein', 'qwerty', 'iloveyou', 'welcome', 'monkey', 'abc123', '1q2w3e4r', 'test', 'changeme', 'default', 'passw0rd', 'supersecret', 'trustno1', 'hunter2', 'root' ] secrets = wordlist if wordlist else common_secrets try: header_b64, payload_b64, signature_b64 = token.split(".") def b64decode(data): rem = len(data) % 4 if rem: data += '=' * (4 - rem) return base64.urlsafe_b64decode(data.encode()) def b64encode(data): return base64.urlsafe_b64encode(data).rstrip(b'=').decode() header = json.loads(b64decode(header_b64)) alg = header.get("alg", "").upper() if alg not in ["HS256", "HS384", "HS512"]: return {"error": f"Bruteforce only supported for HS256/HS384/HS512, got {alg}"} hash_alg = {"HS256": hashlib.sha256, "HS384": hashlib.sha384, "HS512": hashlib.sha512}[alg] signing_input = f"{header_b64}.{payload_b64}".encode() for secret in secrets: sig = hmac.new(secret.encode(), signing_input, hash_alg).digest() sig_b64 = b64encode(sig) if sig_b64 == signature_b64: return {"result": "success", "secret": secret} return {"result": "not found", "tested": len(secrets)} except Exception as e: return {"error": str(e)}

This server cannot be installed

Other Tools

Related Tools

jwt_analyze
@mohdhaji87/JWTAuditorMCP
jwt_vulnerability_check
@ricauts/CyberMCP
jwt-decode
@wrenchpilot/it-tools-mcp
verify_jwt_secret
@HenkDz/selfhosted-supabase-mcp
jwt_decode
@mohdhaji87/JWTAuditorMCP
verify_jwt_secret
@abushadab/selfhosted-supabase-mcp-basic-auth

Latest Blog Posts

Federated Learning with MCP: Building Privacy-Preserving Agents Across Distributed Edges
By Om-Shree-0709 on December 21, 2025.
Secure
mcp
Learning
What Is Context Bloat in MCP?
By Om-Shree-0709 on December 16, 2025.
mcp
Context Bloat
MCP Moves to the Linux Foundation: Neutral Stewardship for Agentic Infrastructure
By Om-Shree-0709 on December 15, 2025.
mcp
anthropic
Linux Foundation

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mohdhaji87/JWTAuditorMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server