Skip to content

kc jwt

Overview

The kc jwt command decodes and displays JWT (JSON Web Token) contents in a human-readable format. It extracts and pretty-prints the header and payload, and adds human-readable timestamps.

Syntax

kc jwt [token]

or

echo <token> | kc jwt

Arguments

[token]

string - optional

The JWT token to decode. If not provided as an argument, reads from stdin.

Examples

Decode Token from Argument

kc jwt eyJhbGciOiJSUzI1NiIsImtpZCI6ImY0Y2NkNDU0LWYzYTgtNDQ3Zi1hN2MzLTY3ZmY5MzUxMzZiMSIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoiaGNBY2dtdmdBekJlSGgyODlkWHF3USIsImF1ZCI6WyJwdWJsaWMiXSwi...

Decode Token from Stdin

echo "eyJhbGciOiJSUzI1NiIsImtpZCI6ImY0Y2NkNDU0..." | kc jwt

Pipe from kc token

kc token --issuerURL https://kubauth.example.com --clientId public --onlyIdToken | kc jwt

Output

JWT Header:
{
  "alg": "RS256",
  "kid": "f4ccd454-f3a8-447f-a7c3-67ff935136b1",
  "typ": "JWT"
}

JWT Payload:
{
  "at_hash": "_GWrC20juEb4Zh39S0ly5w",
  "aud": ["public"],
  "auth_time": 1761564624,
  "auth_time_human": "2025-10-27 11:30:24 UTC",
  "azp": "public",
  "email": "john@example.com",
  "emails": ["john@example.com"],
  "exp": 1761568224,
  "exp_human": "2025-10-27 12:30:24 UTC",
  "groups": ["developers", "ops"],
  "iat": 1761564624,
  "iat_human": "2025-10-27 11:30:24 UTC",
  "iss": "https://kubauth.example.com",
  "jti": "be30eeb2-153f-4dec-97b8-c75d23035f81",
  "name": "John DOE",
  "office": "208G",
  "rat": 1761564624,
  "rat_human": "2025-10-27 11:30:24 UTC",
  "sub": "john"
}

Human-Readable Timestamps

The decoder adds _human suffixed fields for timestamp claims:

  • auth_time_human - When user authenticated
  • exp_human - When token expires
  • iat_human - When token was issued
  • rat_human - Token refresh time

Note

The *_human fields are added by the decoder for convenience and are not part of the actual JWT token.

JWT Structure

Contains token metadata:

  • alg - Signing algorithm (e.g., RS256)
  • kid - Key ID used for signing
  • typ - Token type (JWT)

Payload

Contains claims (user information):

Standard OIDC Claims:

  • sub - Subject (username)
  • iss - Issuer URL
  • aud - Audience (client ID)
  • exp - Expiration time
  • iat - Issued at time
  • auth_time - Authentication time

Kubauth-Added Claims:

  • name - User's full name
  • email - Primary email
  • emails - All emails
  • groups - Group memberships

Custom Claims:

  • Any claims from User or Group spec.claims

Limitations

No Signature Verification

The kc jwt command only decodes the token; it does not verify the signature.

Base64 Decoding Only

This command simply base64-decodes the JWT parts. It doesn't validate:

  • Token expiration
  • Issuer authenticity
  • Signature validity

Troubleshooting

Invalid Token Format

Error: 

Error: invalid JWT format

Solution: Ensure the token is a complete JWT with three dot-separated parts: 

header.payload.signature

Malformed JSON

If the output shows malformed JSON, the token may be corrupted or incomplete.

  • kc token - Get tokens with -d flag for automatic decoding
  • kc token-nui - Get tokens in terminal
  • kc whoami - With -d option, display decoded token from kubectl context

See Also