LinuxCommandLibrary

jwt

Encode, decode, and sign JSON Web Tokens

TLDR

Decode a JWT

$ jwt decode [jwt_string]
copy

Decode a JWT as a JSON string
$ jwt decode [[-j|--json]] [jwt_string]
copy

Encode a JSON string to a JWT
$ jwt encode [[-A|--alg]] [HS256] [[-S|--secret]] [1234567890] '[json_string]'
copy

Encode key pair payload to JWT
$ jwt encode [[-A|--alg]] [HS256] [[-S|--secret]] [1234567890] [[-P|--payload]] [key=value]
copy

SYNOPSIS

jwt <SUBCOMMAND> [OPTIONS] [<ARGS>]
Subcommands: encode, decode, verify, inspect, help

PARAMETERS

--alg <ALG>
    Signing/verification algorithm (e.g., HS256, RS256)

--secret <SECRET>
    Raw secret for symmetric algs (base64-encodable)

--key <KEY>
    PEM/JWK key file for asymmetric algs

--key-id <KID>
    Key ID (kid) claim/header matcher

--iss <ISS>
    Issuer (iss) claim for verification

--aud <AUD>
    Audience (aud) claim for verification

--claim <KEY=VAL>
    Add custom claim to payload (repeatable)

--no-verify
    Decode without signature check (encode/decode)

--compact
    Output compact JWT (no JSON)

--json
    Force JSON serialization (JWS)

-q, --quiet
    Suppress non-error output

-h, --help
    Show help/usage

--version
    Print version info

DESCRIPTION

The jwt command, from the jwt-cli Rust crate, is a fast command-line tool for handling JSON Web Tokens (JWTs). It supports encoding payloads into signed tokens, decoding and inspecting token contents, verifying signatures against keys, and more. Ideal for developers testing auth flows, debugging APIs, or automating token ops in scripts.

Key capabilities include multiple algorithms (HS256/384/512, RS256/384/512, ES256/384/512, EdDSA, none), key formats (PEM, JWK, raw secrets), claims injection, and JSON/compact serialization. Output is human-readable JSON or raw compact form. No external deps beyond Rust toolchain for install; cross-platform.

Secure by default: verifies alg mismatches, key IDs, expiration, and audiences. Quiet mode suppresses non-essential output. Widely used in DevOps for CI/CD token validation without heavy libs like PyJWT.

CAVEATS

Not a core Linux utility; install via cargo install jwt-cli or distro pkgs (e.g., Arch: jwt-cli). Sensitive keys in scripts risk exposure; use env vars. Limited to supported algs; no custom headers beyond claims.

EXAMPLE USAGE

Encode: jwt encode --secret foo --iss bar --aud api {"sub":"123"}
Decode: jwt decode --no-verify eyJ...
Verify: jwt verify eyJ... --secret foo

INSTALLATION

Linux: cargo install jwt-cli or apt install jwt-cli (if avail.); verify with jwt --version.

HISTORY

Developed by David J. Pearce as jwt-cli in Rust (v0.1.0 Feb 2020). Gained popularity for lightweight alternative to JS/Python tools. Active on GitHub; v1.0+ added EdDSA, JWK support. Integrated in Nixpkgs, Homebrew.

SEE ALSO

jq(1), openssl(1), base64(1), jose(1)

Copied to clipboard