Verify a token
Use jwtop verify to confirm that a token’s signature is valid and that its standard claims (exp, nbf, iss, etc.) pass validation. The command exits 0 on success and 1 on failure.
HMAC secret (HS256 / HS384 / HS512)
Section titled “HMAC secret (HS256 / HS384 / HS512)”jwtop verify $TOKEN --secret mysecretRSA or EC key file (RS256, ES256, …)
Section titled “RSA or EC key file (RS256, ES256, …)”Provide the path or URL to a PEM-encoded public key file (or a private key — the public part is automatically extracted):
jwtop verify $TOKEN --key /path/to/public.pemjwtop verify $TOKEN --key https://example.com/public.pemGenerate a test key pair:
# RSAopenssl genrsa -out private.pem 2048openssl rsa -in private.pem -pubout -out public.pem
# EC (P-256)openssl ecparam -name prime256v1 -genkey -noout -out private.pemopenssl ec -in private.pem -pubout -out public.pemJWKS endpoint
Section titled “JWKS endpoint”When the issuer publishes a JWKS (e.g. an OAuth 2.0 / OIDC provider), pass the endpoint URL:
jwtop verify $TOKEN --jwks https://example.com/.well-known/jwks.jsonThe matching key is selected by the kid header field. If no kid is present, selection falls back to the alg field.
Scripting
Section titled “Scripting”Because jwtop verify exits 1 on invalid tokens, it integrates naturally with shell scripts:
if jwtop verify $TOKEN --secret "$SECRET"; then echo "Token accepted"else echo "Token rejected" >&2 exit 1fi