jwt

Decode a JWT

$ jwt decode [jwt_string]

$ jwt decode [[-j|--json]] [jwt_string]

$ jwt encode [[-A|--alg]] [HS256] [[-S|--secret]] [1234567890] '[json_string]'

$ jwt encode [[-A|--alg]] [HS256] [[-S|--secret]] [1234567890] [[-P|--payload]] [key=value]

jwt command [options] [arguments]

Common commands:
jwt decode <token> [options]
jwt encode [options] <payload_json_or_file>
jwt sign <token> [options]
jwt verify <token> [options]

--secret, -s
    Specify the secret (or key file) used for signing or verifying tokens.

--algorithm, -a
    Set the cryptographic algorithm (e.g., HS256, RS256) for encoding or verification.

--header, -H
    Provide a JSON string or file for the JWT header. Used when encoding.

--payload, -P
    Provide a JSON string or file for the JWT payload. Used when encoding.

--issuer, --iss
    Set the "iss" (issuer) claim in the payload.

--subject, --sub
    Set the "sub" (subject) claim in the payload.

--audience, --aud
    Set the "aud" (audience) claim in the payload.

--expiresIn, --exp
    Set the "exp" (expiration time) claim, e.g., "1h", "30d".

--notBefore, --nbf
    Set the "nbf" (not before) claim, e.g., "5m".

--no-verify
    Skip signature verification when decoding or processing a token.

--json
    Input/output format as JSON. Useful for piping data.

--output, -o
    Specify output format (e.g., text, json, compact).

--help, -h
    Display help message for the command or subcommand.

--version, -v
    Display the version information.

The jwt command-line utility provides tools for interacting with JSON Web Tokens (JWTs). JWTs are compact, URL-safe means of representing claims to be transferred between two parties. This tool allows developers and security professionals to easily inspect, decode, encode, sign, and verify these tokens directly from the terminal. It simplifies common tasks such as debugging authentication flows, creating sample tokens for testing, or verifying the integrity of received tokens. While not a standard Linux utility, it's widely adopted by installing a third-party package, often written in Go, Node.js, or Python. Its primary functions include parsing a JWT to display its header and payload, crafting new JWTs with specified claims and algorithms, and validating the signature of a token against a given secret or public key, ensuring its authenticity and integrity.

The jwt command is not a standard part of most Linux distributions and typically requires installation as a third-party package (e.g., via npm, pip, or a standalone binary). There are multiple implementations of jwt CLI tools, and their exact options and subcommands might vary slightly. When handling sensitive secrets on the command line, be aware of shell history and process visibility. Always ensure the tool's source is trusted.

jwt decode <token>
This is the most common use case, allowing users to quickly see the decoded header and payload of a JWT without needing to write code.

jwt encode --secret <secret> '{"user":"test"}'
This command is used to craft new JWTs for testing or development purposes, allowing full control over claims and algorithms.

jwt verify <token> --secret <secret>
Critical for security, this verifies the signature of a token against a known secret or public key, ensuring it hasn't been tampered with.

JSON Web Tokens (JWTs) themselves were standardized by the IETF as RFC 7519 in 2015, building upon earlier work. Command-line tools like jwt emerged as practical utilities to interact with these tokens, driven by the widespread adoption of JWTs in web authentication and APIs. Different jwt CLI implementations have been developed independently by various communities (e.g., Go, Node.js, Python), reflecting the diverse ecosystems where JWTs are used.

openssl(1), base64(1)