Aller au contenu

Inspect an unknown JWT

Ce contenu n’est pas encore disponible dans votre langue.

When you receive a JWT from a third-party service, a log, or a debug session, you often want to read its content before you have the signing key or know the algorithm. jwtop decode does this without any key material.

Terminal window
jwtop decode <token>

Example — inspect a token from an environment variable:

Terminal window
jwtop decode $ACCESS_TOKEN

Output:

Header:
{
"alg": "RS256",
"typ": "JWT",
"kid": "abc123"
}
Claims:
{
"sub": "user-42",
"iss": "https://auth.example.com",
"aud": "api.example.com",
"exp": 1740000000,
"iat": 1739996400,
"roles": ["admin", "editor"]
}
Signature:
<base64url>
FieldDescription
algSigning algorithm — determines what key type to use for verification
kidKey ID — use with a JWKS endpoint to fetch the right public key
expExpiration timestamp (Unix) — check if the token is still valid
issIssuer — confirms the token origin
subSubject — the principal the token represents

Once you know the algorithm and have the key, use jwtop verify to confirm the signature.