jwt¶
Work with JSON Web Tokens (JWT).
Synopsis¶
tofu jwt [token] # Decode (default)
tofu jwt decode [token] # Decode and inspect
tofu jwt create [flags] # Create a new token
tofu jwt validate [token] # Validate a token
Description¶
Decode, create, and validate JSON Web Tokens. Supports HMAC (HS256/384/512), RSA (RS256/384/512), and ECDSA (ES256/384/512) algorithms.
Commands¶
decode¶
Decode and inspect a JWT token.
create¶
Create a new signed JWT token.
| Flag | Short | Description | Default |
|---|---|---|---|
--algorithm |
-a |
Signing algorithm | HS256 |
--secret |
-s |
Secret key or path to key file | |
--subject |
Subject claim (sub) | ||
--issuer |
Issuer claim (iss) | ||
--audience |
Audience claim (aud) | ||
--expires-in |
-e |
Expiration time (e.g., 1h, 24h, 7d) | |
--no-exp |
Create without expiration | false |
|
--not-before |
Not before time | ||
--issued-at |
Include iat claim | true |
|
--id |
JWT ID (jti) | ||
--claims |
-c |
Additional claims as JSON |
validate¶
Validate a JWT token.
| Flag | Short | Description | Default |
|---|---|---|---|
--secret |
-s |
Secret key or path to public key | |
--issuer |
Expected issuer | ||
--audience |
Expected audience | ||
--subject |
Expected subject |
Examples¶
Decode a token:
Create a simple token:
Create with custom claims:
Validate a token:
Validate with expected issuer:
Sample Output¶
Decode output:
Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Header:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
{
"sub": "user123",
"iat": 1704067200,
"exp": 1704153600
}
Time Claims:
exp: 2024-01-02T00:00:00Z (valid for 23h59m)
iat: 2024-01-01T00:00:00Z (issued 1h ago)
Signature (raw):
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c