How to Decode a JWT Token on Linux (bash + jq + Browser)
- Pure bash method using only base64 and Python — no extra packages
- jq method for structured extraction of specific claims
- Browser tool option for visual inspection
- One-liners you can copy directly into any Linux terminal
Table of Contents
On Linux you can decode a JWT in three ways: the browser tool (paste and read instantly), a pure bash one-liner using tools present on virtually every distro, or jq for structured claim extraction. All three run entirely locally.
Decode JWT Payload in Pure bash (No Extra Packages)
This works on Ubuntu, Debian, CentOS, Fedora, Arch, and any distro with Python 3 installed (which is essentially all of them):
TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTYiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE3MDAwMDAwMDB9.signature"
echo $TOKEN | cut -d'.' -f2 | python3 -c "
import sys, base64, json
payload = sys.stdin.read().strip()
padding = 4 - len(payload) % 4
decoded = base64.b64decode(payload + '=' * padding)
print(json.dumps(json.loads(decoded), indent=2))
"The JWT is three base64url-encoded segments separated by dots. cut -d'.' -f2 extracts the middle segment (payload). Python adds the required base64 padding and decodes it.
To decode the header, change -f2 to -f1.
Decode JWT with jq for Structured Output
If you have jq installed (available in all major package managers), you can extract specific claims cleanly:
# Install jq if needed
sudo apt install jq # Debian/Ubuntu
sudo dnf install jq # Fedora/RHEL
sudo pacman -S jq # Arch
# Decode full payload with jq
echo $TOKEN | cut -d'.' -f2 | python3 -c "
import sys, base64
p = sys.stdin.read().strip()
print(base64.b64decode(p + '=' * (4 - len(p) % 4)).decode())
" | jq .
# Extract a single claim
echo $TOKEN | cut -d'.' -f2 | python3 -c "
import sys, base64
p = sys.stdin.read().strip()
print(base64.b64decode(p + '=' * (4 - len(p) % 4)).decode())
" | jq -r '.sub'The Python step handles the base64url-to-JSON conversion, then jq does the filtering. This pattern lets you pipe into any jq expression.
Sell Custom Apparel — We Handle Printing & Free ShippingCheck If a JWT Is Expired from the Command Line
To check expiry without a browser:
# Get exp claim value
EXP=$(echo $TOKEN | cut -d'.' -f2 | python3 -c "
import sys, base64, json
p = sys.stdin.read().strip()
d = json.loads(base64.b64decode(p + '=' * (4 - len(p) % 4)))
print(d.get('exp', 0))
")
NOW=$(date +%s)
if [ "$EXP" -lt "$NOW" ]; then
echo "Token EXPIRED at $(date -d @$EXP)"
else
echo "Token valid until $(date -d @$EXP)"
fiThis is useful in CI pipelines or deploy scripts where you want to verify a service token is still valid before proceeding.
Browser Tool — Works on Any Linux Desktop
If you are on a Linux desktop (not headless server), the browser tool is the quickest option:
- Open Chrome, Firefox, or any browser
- Paste your JWT into the field at the top of this page
- Header and payload appear instantly with labeled claims
The tool runs entirely in the browser tab — nothing is sent to any server. Good for quick visual inspection when you want to see all claims at once without writing a command.
Prefer a Visual Decoder? Use the Browser Tool
Paste your JWT above for instant visual decoding — labeled claims, timestamp conversion, and no command line needed.
Open Free JWT DecoderFrequently Asked Questions
Does the base64 command on Linux work directly for JWT decoding?
Not reliably. The Linux base64 command does not handle base64url encoding (which uses - and _ instead of + and /). The Python approach in the examples above handles this correctly.
Can I decode a JWT in bash without Python?
Yes, with some extra work. You can use tr to convert base64url to standard base64, add padding manually, then pipe to base64 -d. The Python one-liner is simpler and more reliable on all distros.
How do I decode a JWT on a headless Linux server?
Use the bash or Python method in the terminal — no desktop or browser needed. The commands above work on any Linux server with Python 3 installed.
