Skip to content

verify

Verify the signature of a JWT and validate standard claims (exp, nbf, iss, etc.). Exits with code 1 if the token is invalid or the signature does not match.

Terminal window
jwtop verify <token> [--secret <secret>] [--key <pem-file>] [--jwks <uri>]

Exactly one key source must be provided.

FlagDescription
--secretHMAC secret string (for HS256, HS384, HS512)
--keyPath or URL to a PEM-encoded public or private key file (RSA, EC, Ed25519)
--jwksURL of a JWKS endpoint

HMAC secret

Terminal window
jwtop verify $TOKEN --secret mysecret

RSA or EC public key file

Terminal window
jwtop verify $TOKEN --key /path/to/public.pem
jwtop verify $TOKEN --key https://example.com/public.pem

JWKS endpoint

Terminal window
jwtop verify $TOKEN --jwks https://example.com/.well-known/jwks.json
CodeMeaning
0Token is valid
1Token is invalid, signature mismatch, or structural error