Re-sign a token
jwtop sign takes an existing JWT, preserves its claims, and re-signs it with a different algorithm or key. The original token does not need to have a valid signature — it is parsed without verification.
Change the HMAC secret
Section titled “Change the HMAC secret”Useful when rotating secrets and you want to produce a token that verifies against the new key:
jwtop sign $TOKEN --alg HS256 --secret newsecretSwitch from HMAC to asymmetric (HS256 → RS256)
Section titled “Switch from HMAC to asymmetric (HS256 → RS256)”jwtop sign $TOKEN --alg RS256 --key /path/to/private.pemSwitch from asymmetric to HMAC (RS256 → HS256)
Section titled “Switch from asymmetric to HMAC (RS256 → HS256)”jwtop sign $TOKEN --alg HS256 --secret mysecretUpgrade to a stronger algorithm
Section titled “Upgrade to a stronger algorithm”# From RS256 to RS512jwtop sign $TOKEN --alg RS512 --key /path/to/private.pem
# From HS256 to ES256openssl ecparam -name prime256v1 -genkey -noout -out ec-private.pemjwtop sign $TOKEN --alg ES256 --key ec-private.pemRound-trip: re-sign and verify
Section titled “Round-trip: re-sign and verify”RESIGNED=$(jwtop sign $TOKEN --alg HS256 --secret newsecret)jwtop verify $RESIGNED --secret newsecret- All original claims (
sub,iss,exp, custom claims) are kept verbatim. - The header
algfield is updated to match the new algorithm. - To remove the signature rather than change it, see Strip or remove a token signature.