Inspect an unknown JWT
Ce contenu n’est pas encore disponible dans votre langue.
When you receive a JWT from a third-party service, a log, or a debug session, you often want to read its content before you have the signing key or know the algorithm. jwtop decode does this without any key material.
With the CLI
Section titled “With the CLI”jwtop decode <token>Example — inspect a token from an environment variable:
jwtop decode $ACCESS_TOKENOutput:
Header:{ "alg": "RS256", "typ": "JWT", "kid": "abc123"}
Claims:{ "sub": "user-42", "iss": "https://auth.example.com", "aud": "api.example.com", "exp": 1740000000, "iat": 1739996400, "roles": ["admin", "editor"]}
Signature:<base64url>What to look for
Section titled “What to look for”| Field | Description |
|---|---|
alg | Signing algorithm — determines what key type to use for verification |
kid | Key ID — use with a JWKS endpoint to fetch the right public key |
exp | Expiration timestamp (Unix) — check if the token is still valid |
iss | Issuer — confirms the token origin |
sub | Subject — the principal the token represents |
Next step
Section titled “Next step”Once you know the algorithm and have the key, use jwtop verify to confirm the signature.