JWT (JSON Web Token) is everywhere.
And unfortunately, so are weak JWT secrets.
During security reviews and side projects, I kept seeing the same pattern:
applications using guessable HMAC secrets like secret, password, or environment defaults β especially with HS256.
So I built and open-sourced a small CLI tool to help detect this issue.
π GitHub Repo:
https://github.com/huang-hub/jwt-secret-checker
Why Weak JWT Secrets Are Dangerous
If a JWT uses an HMAC-based algorithm (HS256, HS384, HS512), the entire security of the token depends on the secret.
When that secret is weak:
Attackers can forge valid tokens
Privilege escalation becomes trivial
Account takeover is possible without touching the database
This is not theoretical β weak JWT secrets show up frequently in:
Internal tools
MVPs
Early-stage SaaS products
Test environments that accidentally go to production
What jwt-secret-checker Does
jwt-secret-checker is a security testing and educational tool, designed to:
Detect weak JWT secrets using a curated wordlist
Support HMAC-based JWTs (HS256 / HS384 / HS512)
Provide fast, local CLI-based checks
Help developers audit their own systems
It is not a brute-force tool and does not attempt large-scale cracking.
How It Works (High Level)
The logic is intentionally simple and transparent:
Decode the JWT header
Check whether the algorithm is HMAC-based
If applicable, attempt verification using common weak secrets
Report whether a weak secret is detected
This makes it suitable for:
Security education
Authorized penetration testing
Development audits
Usage
You can run it directly with npx:
npx jwt-secret-checker
Example output:
β Weak JWT secret detected!
Secret: password
Or, if no weak secret is found:
β No weak JWT secret found.
Who Is This Tool For?
Developers who want to audit their JWT usage
Security engineers reviewing applications
Students learning about JWT vulnerabilities
Anyone curious about how JWT security fails in practice
If you are using asymmetric algorithms like RS256, this tool will simply report that the token is not applicable β which is expected.
Responsible Use
This project is intended only for:
Educational purposes
Authorized security testing
Auditing systems you own or have permission to test
Please do not use it against systems without proper authorization.
A full responsible-use policy is included in the repository.
Open Source & Contributions
The project is MIT licensed and open to contributions:
Improving detection logic
Expanding safe wordlists
Documentation improvements
Security discussions and edge cases
If you have ideas or feedback, feel free to open an issue or pull request.
Final Thoughts
JWTs are powerful, but misconfiguration turns them into liabilities.
If this small tool helps even one developer catch a weak secret before production, it has done its job.
Thanks for reading β feedback is welcome π
π Links
jwt-secret-checker
Top comments (0)