Validating JWT Tokens in shell scripts

02 Jun 2020 - cr0hn

JWT Tokens are very popular as SSO authentication mechanism, for authorization and widely used in the Microservices paradigm. But have we really pay attention if JWT tokens are valid?

There are many amazing online validators out there, like but they’re not useful if you want to integrate the validation process into a script or into an shell execution pipeline. screenshot

It’s really easy to check if a JWT Token is valid with APICheck JWT Validator and take the advantage of chaining with other validations by using APICheck tools.

$ acp install jwtchk
$ acp install acurl
$ acurl | jwtchk -allowAlg HS256 -allowAlg HS384 -issuer bbva-iam -audience my-api-id -secret bXlTZWNyZXRQYXNzd29yZG15U2VjcmV0UGFzc3dvcmQK

Issuer claim doesn't match. Expected: bbva-iam, got: other-iam
Audience claim doesn't match. Expected: my-api-id, got: other-id

You have several others options available in order to check if the JWT token was generated following the best practices.