verifies a signed JWS token and returns the payload
SYNOPSIS:
> jose verify -j KEYSTORE -i ISSUER -a AUDIENCE [--alg ALLOWEDALGORITHM] [--noalg FORBIDDENALGORITHM]
One can pass a payload via STDIN
to the verify
tool (e.g., the output of sign
).
The following parameters are accepted.
-
-a, --aud AUDIENCE
- the target of the JWS that will verify the token -
-i, --issuer ISSUER
- the issuer of the JWS -
-j, --jwks, --keystore KEYSTORE
- theKEYSTORE
file that contains the singing keys. -
-K, --key JWK
- pass aJWK
formatted key directly. This will ignore any provided keystore. -
--alg ALLOWEDALGORITHM
- allow a signing algorithm. This is typically used in combination with--noalg
options. It is possible to use thenode-jose
algorithm wildcards. To allow multiple algorithms, use this option multiple times. -
--noalg FORBIDDENALGORITHM
- forbid a signing algorithm. It is possible to use thenode-jose
algorithm wildcards. To forbid multiple algorithms, use this option multiple times. -
--crit CLAIM[=VALUE]
- verifies the presence of the headerCLAIM
. If the optionalVALUE
is provided, then theCLAIM
must match the providedVALUE
. This option does not accept wildcards. -
--xcrit CLAIM[=VALUE]
- verifies that the headerCLAIM
is not present in the header (x = exclude). If the optionalVALUE
is provided, then theCLAIM
must not match the providedVALUE
but is otherwise accepted. This option does not accept wildcards.
If both, --crit
and --xcrit
are used with the same option, then --crit
overrides --xcrit
.
If more than one --crit
or --xcrit
option provide different values for the same crit
member, then the values count as alternatives (OR). If an option of a crit
member is presented without values, then this overrides all options with values for the same crit
member.