Skip to content

cerberauth/jwtop-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.devcontainer
.devcontainer
 
 
.github
.github
 
 
.licenses/npm
.licenses/npm
 
 
.vscode
.vscode
 
 
__fixtures__
__fixtures__
 
 
__tests__
__tests__
 
 
badges
badges
 
 
dist
dist
 
 
script
script
 
 
src
src
 
 
.checkov.yml
.checkov.yml
 
 
.env.example
.env.example
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.licensed.yml
.licensed.yml
 
 
.markdown-lint.yml
.markdown-lint.yml
 
 
.node-version
.node-version
 
 
.prettierignore
.prettierignore
 
 
.prettierrc.yml
.prettierrc.yml
 
 
.trivyignore
.trivyignore
 
 
.yaml-lint.yml
.yaml-lint.yml
 
 
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
actionlint.yml
actionlint.yml
 
 
eslint.config.mjs
eslint.config.mjs
 
 
jest.config.js
jest.config.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
rollup.config.ts
rollup.config.ts
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

JWTop Action

Join Discord GitHub Workflow Status Latest version Github Repo Stars License

GitHub Action to install and run jwtop — the JWT operations toolkit for decoding, verifying, creating, signing, cracking, and exploiting JSON Web Tokens.

Usage

steps:
  - name: Decode JWT
    id: decode
    uses: cerberauth/jwtop-action@v1
    with:
      command: decode
      args: '${{ env.JWT_TOKEN }}'

  - name: Print output
    run: echo "${{ steps.decode.outputs.output }}"

Security testing with crack

steps:
  - name: Probe JWT endpoint for vulnerabilities
    uses: cerberauth/jwtop-action@v1
    with:
      command: crack
      args: --url https://api.example.com/protected --wordlist ./wordlist.txt

Inputs

Input Description Required Default
version Version of jwtop to install (e.g. v0.2.0). Use latest to always install the newest. No latest
command jwtop subcommand to run: decode, verify, create, sign, crack, exploit. If omitted, jwtop is only installed and added to PATH. No
args Arguments and flags to pass to the jwtop command. No

Outputs

Output Description
output Stdout from the jwtop command (only set when command is provided).
jwtop-path Directory where the jwtop binary is located.

Commands

Command Description
decode Parse and display a JWT without verifying the signature
verify Validate a JWT signature and display its claims
create Generate and sign a new token
sign Re-sign an existing token with different credentials
crack Probe a server for common JWT vulnerabilities
exploit Apply a specific attack technique to a token

Examples

Verify a token with an HMAC secret

- uses: cerberauth/jwtop-action@v1
  with:
    command: verify
    args: '${{ env.JWT_TOKEN }} --secret ${{ secrets.JWT_SECRET }}'

Verify a token with a RSA public key

- uses: cerberauth/jwtop-action@v1
  with:
    command: verify
    args: '${{ env.JWT_TOKEN }} --key ./public.pem'

Pin a specific version

- uses: cerberauth/jwtop-action@v1
  with:
    version: v0.2.0
    command: decode
    args: '${{ env.JWT_TOKEN }}'

Disclaimer

crack and exploit commands are provided for informational purposes only. It should not be used for malicious purposes or to attack any system without proper authorization. Always respect the security and privacy of others.

Telemetry

VulnAPI collects fully anonymized usage data to help improve the tool. This data is not shared with third parties. You can opt-out of telemetry by setting the telemetry option to false.

License

This repository is licensed under the MIT License @ CerberAuth.

About

GitHub Action to install and run jwtop — the JWT operations toolkit for decoding, verifying, creating, signing, cracking, and exploiting JSON Web Tokens.

github.com/cerberauth/jwtop

Topics

jwt jsonwebtoken github-actions github-action

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Mar 19, 2026

Contributors

Languages

Generated from actions/typescript-action