Aller au contenu

Verify a token

Ce contenu n’est pas encore disponible dans votre langue.

Use jwtop verify to confirm that a token’s signature is valid and that its standard claims (exp, nbf, iss, etc.) pass validation. The command exits 0 on success and 1 on failure.

Terminal window
jwtop verify $TOKEN --secret mysecret

Provide the path or URL to a PEM-encoded public key file (or a private key — the public part is automatically extracted):

Terminal window
jwtop verify $TOKEN --key /path/to/public.pem
jwtop verify $TOKEN --key https://example.com/public.pem

Generate a test key pair:

Terminal window
# RSA
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
# EC (P-256)
openssl ecparam -name prime256v1 -genkey -noout -out private.pem
openssl ec -in private.pem -pubout -out public.pem

When the issuer publishes a JWKS (e.g. an OAuth 2.0 / OIDC provider), pass the endpoint URL:

Terminal window
jwtop verify $TOKEN --jwks https://example.com/.well-known/jwks.json

The matching key is selected by the kid header field. If no kid is present, selection falls back to the alg field.

Because jwtop verify exits 1 on invalid tokens, it integrates naturally with shell scripts:

Terminal window
if jwtop verify $TOKEN --secret "$SECRET"; then
echo "Token accepted"
else
echo "Token rejected" >&2
exit 1
fi