HEXL
Catalog/security-jwt-weak-secret

Security

JWT weak-secret cracker API

Test an HS256/384/512 JWT's HMAC signature against a bundled wordlist of common/weak secrets and report whether it is crackable and which secret matched — an offline dictionary crack an LLM cannot perform. Distinct from JWT alg/claims audits and sign/verify-with-known-key. Answers 'is this JWT signed with a weak secret', 'crack this JWT', 'what is the secret for this token', 'is this JWT brute-forceable'.

Price$0.01per request
MethodPOST
Route/v1/security/jwt-weak-secret
StatusLive
MIME typeapplication/json
Rate limit60/minute
CacheNo cache
securityjwtcrackweak-secrethmacdictionaryaudittoken
API URLhttps://x402.hexl.dev/v1/security/jwt-weak-secret
Integration docs
Example request
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.Q6CM1qIz2WTgTlhMzpFL8jI8xbu9FFfj5DY_bGVY98Y"
}
Example response
{
  "algorithm": "HS256",
  "wordlistSize": 50,
  "triedCount": 1,
  "cracked": true,
  "secret": "secret",
  "severity": "critical",
  "recommendation": "Token is signed with a weak secret. Rotate to a high-entropy key (>=32 random bytes) immediately.",
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  }
}
Input schema
{
  "type": "object",
  "required": [
    "token"
  ],
  "properties": {
    "token": {
      "type": "string",
      "minLength": 1,
      "examples": [
        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.Q6CM1qIz2WTgTlhMzpFL8jI8xbu9FFfj5DY_bGVY98Y"
      ]
    },
    "extraWords": {
      "type": "array",
      "items": {
        "type": "string"
      }
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}