LinuxCommandLibrary

jwt

Encode, decode, and sign JSON Web Tokens

TLDR

Decode a JWT

$ jwt decode [jwt_string]
copy

Decode a JWT as a JSON string
$ jwt decode [[-j|--json]] [jwt_string]
copy

Encode a JSON string to a JWT
$ jwt encode [[-A|--alg]] [HS256] [[-S|--secret]] [1234567890] '[json_string]'
copy

Encode key pair payload to JWT
$ jwt encode [[-A|--alg]] [HS256] [[-S|--secret]] [1234567890] [[-P|--payload]] [key=value]
copy

SYNOPSIS

jwt encode | decode | verify [options]

PARAMETERS

encode
    Encodes a JSON payload into a JWT.

decode
    Decodes a JWT and prints its header and payload.

verify
    Verifies the signature of a JWT.

-H, --header
    Specifies the JWT header as a JSON string.

-P, --payload
    Specifies the JWT payload as a JSON string.

-S, --secret
    Specifies the secret key for HMAC algorithms.

-k, --key
    Specifies the path to a private key file (PEM format).

-p, --pubkey
    Specifies the path to a public key file (PEM format).

-a, --alg
    Specifies the signing algorithm (e.g., HS256, RS256).

-i, --input
    Read input from file.

-o, --output
    Write output to file.

-f, --force
    Overwrite output file if it exists.

-j, --json
    Format output as JSON.

-h, --help
    Displays help information.

-v, --version
    Displays version information.

DESCRIPTION

The jwt command provides a way to encode, decode, and verify JSON Web Tokens (JWTs) directly from the Linux command line.
It's a valuable tool for developers and system administrators who work with JWT-based authentication and authorization mechanisms. The tool simplifies the process of inspecting JWT contents without relying on external libraries or web-based tools. You can use it to check headers, payloads, and signatures, as well as generate new tokens using secrets or public/private keys.
The jwt command supports various JWT algorithms (e.g., HS256, RS256) and can be integrated into shell scripts and automation workflows.
It eliminates the need to copy-paste JWTs into online decoders or write custom scripts for validation and inspection, enhancing productivity and security.

CAVEATS

The security of JWTs relies heavily on the secrecy of the secret key or the security of the private key.
Never expose these keys and ensure they are stored securely.
Also, always validate JWTs before trusting their contents.
Be aware of potential vulnerabilities such as algorithm confusion.

EXAMPLES

Encode a JWT with header and payload:
jwt encode -H '{"alg":"HS256", "typ":"JWT"}' -P '{"sub":"user123", "name":"John Doe"}' -S 'secret'
Decode a JWT:
jwt decode
Verify a JWT:
jwt verify -S 'secret'

SEE ALSO

openssl(1)

Copied to clipboard