Verify Command
The verify command validates JWT token signatures and optionally checks expiration claims.
Basic Usage
jwt-hack verify <TOKEN> [OPTIONS]
Secret-Based Verification (HMAC)
Verify HMAC-signed tokens with a shared secret:
# Verify HS256 token
jwt-hack verify eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.5mhBHqs5_DTLdINd9p5m7ZJ6XD0Xc55kIaCRY5r6HRA --secret=test
# Try different secrets
jwt-hack verify <TOKEN> --secret=secret123
jwt-hack verify <TOKEN> --secret=password
Key-Based Verification (RSA/ECDSA)
Verify asymmetric tokens using public keys:
# Verify RSA-signed token
jwt-hack verify <RSA_TOKEN> --private-key=public.pem
# Verify ECDSA-signed token
jwt-hack verify <ECDSA_TOKEN> --private-key=ec-public.pem
Expiration Validation
Check if the token has expired:
# Enable expiration validation
jwt-hack verify <TOKEN> --secret=test --validate-exp
With --validate-exp, the command will:
- Check the
exp(expiration) claim - Validate against current timestamp
- Report if the token is expired
- Show time remaining or time since expiration
Command Options
Required
<TOKEN>- The JWT token to verify
Authentication Options
--secret <SECRET>- Secret for HMAC token verification--private-key <PATH>- Path to public key file for RSA/ECDSA verification
Validation Options
--validate-exp- Enable expiration time validation
Verification Results
The verify command provides detailed output:
Successful Verification
✓ Signature Valid
✓ Token Structure Valid
✓ Algorithm: HS256
✓ Expiration: Valid (expires in 2 hours)
Failed Verification
✗ Signature Invalid
✓ Token Structure Valid
- Algorithm: HS256
- Reason: Incorrect secret or signature tampering
Expiration Issues
✓ Signature Valid
✓ Token Structure Valid
✗ Expiration: Token expired 30 minutes ago
Examples
Basic HMAC Verification
# Verify with correct secret
jwt-hack verify eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.SIGNATURE --secret=correct-secret
# Try with wrong secret (will fail)
jwt-hack verify eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.SIGNATURE --secret=wrong-secret
RSA Token Verification
# Verify RSA256 token with public key
jwt-hack verify <RSA_TOKEN> --private-key=rsa-public.pem
Complete Validation
# Verify signature and check expiration
jwt-hack verify <TOKEN> --secret=mysecret --validate-exp
Key File Requirements
For RSA/ECDSA Verification
You need the public key corresponding to the private key used for signing:
# Extract public key from private key
openssl rsa -in private.pem -pubout -out public.pem
# Use public key for verification
jwt-hack verify <TOKEN> --private-key=public.pem
Supported Public Key Formats
- X.509 SubjectPublicKeyInfo -
-----BEGIN PUBLIC KEY----- - PKCS#1 RSA Public Key -
-----BEGIN RSA PUBLIC KEY-----
Security Testing
The verify command is useful for security testing:
Test Different Secrets
# Test common weak secrets
jwt-hack verify <TOKEN> --secret=secret
jwt-hack verify <TOKEN> --secret=password
jwt-hack verify <TOKEN> --secret=123456
jwt-hack verify <TOKEN> --secret=test
Algorithm Confusion Testing
# Test if RSA token accepts HMAC verification (algorithm confusion)
jwt-hack verify <RSA_TOKEN> --secret=<PUBLIC_KEY_CONTENT>
None Algorithm Testing
# Test unsigned tokens (none algorithm)
jwt-hack verify <NONE_TOKEN>
Return Codes
The verify command uses exit codes for scripting:
- 0 - Verification successful
- 1 - Verification failed
- 2 - Token format error
- 3 - Expiration validation failed
Example usage in scripts:
if jwt-hack verify "$TOKEN" --secret="$SECRET"; then
echo "Token is valid"
else
echo "Token verification failed"
fi