How to Decode JWT Tokens from the Command Line
Decode JWTs in bash and via a free API — no ad-laden websites needed
There are dozens of JWT decoder websites but most of them are bloated with ads and trackers. Here’s how to decode JWTs from the command line and via a free API.
Option 1: Pure Bash
echo "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc" | cut -d. -f2 | base64 -d 2>/dev/null
For a more robust version that handles URL-safe base64:
decode_jwt() {
local payload=$(echo "$1" | cut -d. -f2 | tr '_-' '/+')
local pad=$(( 4 - ${#payload} % 4 ))
[ $pad -ne 4 ] && payload="${payload}$(printf '%0.s=' $(seq 1 $pad))"
echo "$payload" | base64 -d 2>/dev/null | python3 -m json.tool
}
Option 2: Free API
curl "http://5.78.129.127/api/jwt/decode?token=YOUR_TOKEN_HERE"
Returns the header, payload, and whether the token is expired. No signup needed. Part of the DevToolKit API — 28 free endpoints: http://5.78.129.127/api/
What JWTs Contain
A JWT has three parts separated by dots:
- Header — algorithm and token type
- Payload — claims (sub, iat, exp, custom data)
- Signature — verification hash
Decoding reads parts 1 and 2. It does NOT verify the signature.
Security Note
JWTs are base64-encoded, NOT encrypted. Anyone can read the payload. Never put passwords or secrets in a JWT payload.
No comments yet.
