jwt-term is a blazing-fast, secure, and offline-first Command Line Interface (CLI) tool built in Rust for inspecting, validating, and manipulating JSON Web Tokens (JWTs) and OAuth tokens. Designed to keep sensitive information private, it allows users to decode, validate, and analyze tokens directly from the terminal without exposing them to external web portals.
Key Features:
Instant Decoding: Quickly decode base64url-encoded JWT headers and payloads without requiring signature verification.
Pretty-Printed Output: Display decoded JSON in a colorized, formatted layout for easy visual inspection.
Offline Signature Validation: Support for verifying HMAC (HS256/384/512), RSA (RS256/384/512, PS256/384/512), ECDSA (ES256/384), and EdDSA signatures using local secrets or PEM keys.
Remote JWKS Validation: Validate tokens against a remote JWKS endpoint over HTTPS for secure, dynamic key management.
Time-Travel Debugging: Simulate token expiry by evaluating exp and nbf claims at custom timestamps to check validity across time zones.
Security First: No telemetry or logging ensures sensitive data remains private. Memory-zeroed secrets and support for reading tokens via stdin or environment variables help prevent shell history exposure.
Audience & Benefit:
Ideal for developers, DevOps engineers, and security professionals who need to inspect and validate JWTs securely. By performing these operations in the terminal, users can maintain control over sensitive data while ensuring privacy and compliance with security best practices.
Installation via winget is straightforward: winget install FelipeMorandini.jwt-term.
README
jwt-term
A blazing-fast, secure, and offline-first CLI tool built in Rust for inspecting, validating, and manipulating JSON Web Tokens (JWTs) and OAuth tokens.
Stop pasting sensitive tokens into web portals. Debug them in your terminal.
Features
Instant Decoding -- Decode base64url-encoded headers and payloads without signature verification
Pretty-Print Output -- Colorized, formatted JSON for quick visual inspection
Offline Signature Validation -- Validate HMAC (HS256/384/512), RSA (RS256/384/512, PS256/384/512), ECDSA (ES256/384), and EdDSA signatures with local secrets and PEM keys
Remote JWKS Validation -- Fetch and validate against OIDC provider JWKS endpoints over HTTPS
Time-Travel Debugging -- Simulate token expiry by evaluating exp/nbf against custom timestamps
Security First -- No telemetry, no logging, memory-zeroed secrets via zeroize, stdin/env-var support to avoid shell history exposure
Installation
Homebrew (macOS & Linux)
brew install felipemorandini/tap/jwt-term
AUR (Arch Linux)
# Using an AUR helper (e.g., yay, paru)
yay -S jwt-term-bin
Winget (Windows)
winget install FelipeMorandini.jwt-term
Debian/Ubuntu (.deb)
Download the .deb package for your architecture from GitHub Releases:
git clone https://github.com/felipemorandini/jwt-term
cd jwt-term
cargo build --release
# Binary will be at: target/release/jwt-term
Quick Start
Run jwt-term --help to see all available commands and options.
# Decode a JWT (no signature verification)
jwt-term decode eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
# Pipe from stdin (keeps token out of shell history)
cat token.txt | jwt-term decode
# Read token from environment variable
jwt-term decode --token-env JWT_TOKEN
# Verify an HMAC signature (prefer --secret-env over --secret)
jwt-term verify --secret-env HMAC_SECRET
# Verify an RSA/ECDSA signature with a PEM public key
jwt-term verify --key-file public.pem
# Verify using a remote JWKS endpoint (HTTPS only)
jwt-term verify --jwks-url "https://login.example.com/.well-known/jwks.json"
# Check if a token will be valid 7 days from now
jwt-term verify --secret-env HMAC_SECRET --time-travel "+7d"
# Check token status at a specific point in time
jwt-term verify --key-file public.pem --time-travel "2024-06-01T00:00:00Z"
Usage
decode
Decode and inspect a JWT without verifying its signature.
jwt-term decode [OPTIONS] [TOKEN]
Option
Description
--token-env
Read token from the named environment variable
--json
Output raw JSON without colors (machine-readable)
verify
Verify a JWT's signature using a local secret, key file, or remote JWKS endpoint. Displays the decoded token alongside the validation result. Exits with code 1 if the signature is invalid.
jwt-term verify [OPTIONS] [TOKEN]
Option
Description
--secret
HMAC shared secret (see security note below)
--secret-env
Read HMAC secret from environment variable (recommended)
--key-file
PEM-encoded public key file (RSA/ECDSA/EdDSA)
--jwks-url
JWKS endpoint URL (HTTPS only)
--time-travel
Evaluate expiry at a simulated time (e.g., +7d, -1h, ISO 8601)
# Bash
jwt-term completions bash > /etc/bash_completion.d/jwt-term
# Zsh (add to your fpath)
jwt-term completions zsh > ~/.zfunc/_jwt-term
# Fish
jwt-term completions fish > ~/.config/fish/completions/jwt-term.fish
Security
jwt-term is designed with security as a first-class concern:
No telemetry or analytics -- The tool never phones home. Network calls only happen when you explicitly pass --jwks-url.
No logging -- Token payloads and secrets are never written to disk.
Memory-zeroed secrets -- HMAC keys and sensitive data are zeroed from memory after use via the zeroize crate.
Shell history safety -- Use --token-env or pipe via stdin to keep tokens out of ~/.bash_history:
# Safe: token never appears in shell history
cat token.txt | jwt-term decode
jwt-term decode --token-env MY_JWT
# Less safe: token visible in shell history
jwt-term decode eyJhbG...
Development
# Build
cargo build
# Run tests
cargo test
# Lint
cargo clippy --all-targets --all-features -- -D warnings
# Format
cargo fmt