15 releases (stable)

new 1.2.0 May 23, 2024
1.1.0 Jan 22, 2024
0.0.5 Jan 11, 2024
0.0.1 Oct 24, 2023

#20 in Authentication

Download history 33/week @ 2024-02-25 1/week @ 2024-03-10 88/week @ 2024-03-31 1/week @ 2024-04-07 1/week @ 2024-04-28 96/week @ 2024-05-19

97 downloads per month

MIT license


JWT UI - A Terminal UI for decoding/encoding JSON Web Tokens

ci cd License LOC crates.io link Release Docker Release Coverage GitHub Downloads Crate.io downloads Docker pulls

Follow Deepu K Sasidharan (deepu105)

     ____.__      _____________       ____ ___.___
    |    /  \    /  \__    ___/      |    |   \   |
    |    \   \/\/   / |    |  ______ |    |   /   |
/\__|    |\        /  |    | /_____/ |    |  /|   |
\________| \__/\  /   |____|         |______/ |___|

A terminal UI for decoding/encoding JSON Web Tokens inspired by JWT.io and jwt-cli


Crafted by

Auth0 by Okta


  • Fully offline
  • Supports secrets as plain text, file path (beginning with @) or base64 encoded string (beginning with b64:). Supported secret formats:
    • HMAC - HS{256,384,512}: Plain text, base64 encoded string, JWKS (JSON text and .json file)
    • RSA - RS{256,384,512}, PS{256,384,512}: PEM file, DER file, PKCS8 file, JWKS (JSON text and .json file)
    • ECDSA - ES{256,384}: PEM file, DER file, PKCS8 file, JWKS (JSON text and .json file)
    • EdDSA : PEM file, DER file, PKCS8 file, JWKS (JSON text and .json file)
      • Note: JWKS support is only for decoding. For encoding use PEM/DER/PKCS8 files for RSA/ECDSA/EdDSA and plain/base64 text for HMAC
  • Dark/Light themes
  • Sensible keyboard shortcuts and Mouse support
  • Copy to clipboard
  • STDOUT mode


Homebrew (Mac & Linux)

brew tap jwt-rs/jwt-ui
brew install jwt-ui

# If you need to be more specific, use:
brew install jwt-rs/jwt-ui/jwt-ui

To upgrade

brew upgrade jwt-ui

Scoop (Windows)

scoop bucket add jwt-ui-bucket https://github.com/jwt-rs/scoop-jwt-ui

scoop install jwt-ui


If you have Cargo installed then you install JWT UI from crates.io

cargo install jwt-ui --locked

You can also clone the repo and run cargo run or make to build and run the app

Arch Linux [Maintained by @orhun]

jwt-ui is available in the official repositories. You can install it using pacman:

pacman -S jwt-ui

Install script

Run the below command to install the latest binary. Run with sudo if you don't have write access to /usr/local/bin. Else the script will install to the current directory

curl https://raw.githubusercontent.com/jwt-rs/jwt-ui/main/deployment/getLatest.sh | bash


Run JWT UI as a Docker container.

docker run --rm -it deepu105/jwt-ui

You can also clone this repo and run make docker to build a docker image locally and run it using the above command


Binaries for macOS (x86_64, arm64), Linux GNU/MUSL(x86_64, armv6, armv7, aarch64) and Windows (x86_64, aarch64) are available on the releases page

  1. Download the latest binary for your OS.
  2. For Linux/macOS:
    1. cd to the file you just downloaded and run tar -C /usr/local/bin -xzf downloaded-file-name. Use sudo if required.
    2. Run with jwtui
  3. For Windows:
    1. Use 7-Zip or TarTool to unpack the tar file.
    2. Run the executable file jwtui.exe


# Start UI

# Start UI with prefilled token to decode and options

# Start UI with prefilled token to decode and JWKS secret from URL
jwtui -S $(curl https://domain.auth0.com/.well-known/jwks.json) [TOKEN]
# if your provider has a different URL for JWKS, look for `jwks_uri` in https://your.idp.com/.well-known/openid-configuration

# Print decoded token to stdout with HMAC plain text secret
jwtui -s -S 'plain_text_secret' [TOKEN]

# Print decoded token to stdout without signature validation.
jwtui -sn [TOKEN]

# Print decoded token to stdout with HMAC base64 encoded secret
jwtui -s -S 'b64:eW91ci0yNTYtYml0LXNlY3JldAo=' [TOKEN]

# Print decoded token to stdout as JSON
jwtui -j -S '@./secret.pem' [TOKEN]

# Print decoded token to stdout with JWKS secret from url
jwtui -s -S $(curl https://domain.auth0.com/.well-known/jwks.json) [TOKEN]

Press ? while running the app to see keybindings

Arguments: [TOKEN] JWT token to decode [mandatory for stdout mode, optional for TUI mode]


  • -S, --secret <SECRET> Secret for validating the JWT. Can be text, file path (beginning with @) or base64 encoded string (beginning with b64:) [default: ]
  • -s, --stdout Print to STDOUT instead of starting the CLI in TUI mode
  • -n, --no-verify Do not validate the signature of the JWT when printing to STDOUT.
  • -j, --json Print to STDOUT as JSON
  • -t, --tick-rate <TICK_RATE> Set the tick rate (milliseconds): the lower the number the higher the FPS. Must be less than 1000 [default: 250]
  • -h, --help Print help
  • -V, --version Print version

If you are looking for a non TUI CLI, check out jwt-cli


Decoder screen


Encoder screen





Note: On Debian/Ubuntu you might need to install libxcb-xfixes0-dev and libxcb-shape0-dev. On Fedora libxcb and libxcb-devel would be needed.

Note: On Linux you might need to have package xorg-dev (Debian/Ubuntu) or xorg-x11-server-devel (Fedora) or equivalent installed for the copy to clipboard features to work

Limitations/Known issues

  • Linux/Docker Copy to clipboard feature is OS/arch dependent and might crash in some Linux distros and is not supported on aarch64 and arm machines.
  • [macOS] KDash looks better on iTerm2 since macOS's default Terminal app makes the colors render weird.
  • [Windows] KDash looks better on CMD since Powershell's default theme makes the colors look weird.

Libraries used




  1. Update the version in Cargo.toml
  2. Update release notes in CHANGELOG.md
  3. Commit the changes
  4. Run make release V=vx.x.x to release a new version via GitHub actions



~344K SLoC