1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
.\" Automatically generated by Pandoc 3.7.0.2
.\"
.TH "JWT\-VERIFY" "1" "" "jwt\-verify User Manual" "LibJWT C Library"
.SH NAME
\f[B]jwt\-verify\f[R] \- Verify a JSON Web Token
.SH SYNOPSIS
.PP
\f[B]jwt\-verify\f[R] \f[B][options]\f[R] \f[I]token\f[R] \&...
.PD 0
.P
.PD
\f[B]jwt\-verify\f[R] \f[B][options]\f[R] \- < \f[I]token\f[R]
.SH DESCRIPTION
\f[B]jwt\-verify\f[R] Decodes and (optionally) verifies the signature of
a JSON Web Token.
.PP
By default, the token(s) will be decoded and verified.
If there is a signature block on the JWT, then you must give a JWK key
with the \f[B]\-k\f[R] option.
Verifying a signature requires specifying the algorithm, so it must
either be in the key file (as the \f[B]alg\f[R] attribute), or passed on
the command line with the \f[B]\-a\f[R] argument.
.PP
\f[B]jwt\-verify\f[R] will not assume the algorithm from the JWT itself
(for security reasons), however, the algorithm in the JWT must match
what you provide to \f[B]jwt\-verify\f[R].
.PP
Tokens may be passed on the command line, after any options, separated
by spaces, or passed via \f[B]stdin\f[R], one per line.
To use \f[B]stdin\f[R], you must pass \f[B]\-\f[R] as the last and only
argument after any options.
.PP
When using the \f[B]\-\-verbose\f[R] option, \f[B]jwt\-verify\f[R] will
print the JSON \f[I]HEADER\f[R] and \f[I]PAYLOAD\f[R] to
\f[B]stdout\f[R].
.PP
If used in conjunction with \f[B]\-\-print\f[R], the JSON will be piped
to the command\(cqs \f[B]stdin\f[R].
It will be called twice: once for \f[I]HEAD\f[R] and once for
\f[I]PAYLOAD\f[R].
.PP
One use is to pass it through \f[B]jq \-C\f[R] for indenting and
colorization.
Another would be to use an external program to validate the
\f[I]PAYLOAD\f[R] contents.
A non\-0 exit status from the program will cause verification to fail.
.SS Options
.TP
\f[B]\-h\f[R], \f[B]\-\-help\f[R]
Show common options and quit.
.TP
\f[B]\-l\f[R], \f[B]\-\-list\f[R]
List all supported algorithms that can be passed to the \f[B]\-a\f[R]
option and quit.
.TP
\f[B]\-v\f[R], \f[B]\-\-verbose\f[R]
Show the contents of the \f[I]HEADER\f[R] and \f[I]PAYLOAD\f[R] of the
JWT in addition to verifying the token.
.TP
\f[B]\-q\f[R], \f[B]\-\-quiet\f[R]
Do not output anything except for hard errors.
The exit value will be the number of token validation failures.
.TP
\f[B]\-a\f[R] \f[I]ALG\f[R], \f[B]\-\-algorithm\f[R]=\f[I]ALG\f[R]
Specify the algorithm to be used when verifying the signature block of
any tokens passed to the program.
See \f[B]\-l\f[R] for values of \f[I]ALG\f[R].
.TP
\f[B]\-k\f[R] \f[I]FILE\f[R], \f[B]\-\-key\f[R]=\f[I]FILE\f[R]
Path to a file containing a key in JSON Web Key format.
If your keys are in PEM or DER (or some other common format that
\f[I]OpenSSL\f[R] understands), then you can convert it to a JWK with
the \f[B]key2jwk(1)\f[R] tool.
.TP
\f[B]\-p\f[R] \f[I]CMD\f[R], \f[B]\-\-print\f[R]=\f[I]CMD\f[R]
Pipe JSON of header and payload to \f[I]CMD\f[R] through its
\f[B]stdin\f[R].
This option only makes sense with \f[B]\-\-verbose\f[R].
.SH BUGS
See GitHub Issues: \c
.UR https://github.com/benmcollins/libjwt/issues
.UE \c
.SH AUTHOR
\f[B]jwt\-verify\f[R] was originally written by Jeremy Thien.
Major rewriting and man page by Ben Collins \c
.MT bcollins@libjwt.io
.ME \c
\&.
.SH SEE ALSO
\f[B]jwt\-generate(1)\f[R], \f[B]key2jwk(1)\f[R], \f[B]jwk2key(1)\f[R]
|
