Scroll to navigation



jose-jws-ver - Verifies a JWS using the supplied JWKs


jose jws ver -i JWS [-I PAY] -k JWK [-a] [-O PAY]


The jose jws ver command verifies a signature over a payload using one or more JWKs. When specifying more than one JWK (-k), the program will succeed when any of the provided JWKs successfully verify a signature. Alternatively, if the -a option is given, the program will succeed only when all JWKs successfully verify a signature.

If the JWS is a detached JWS, meaning that the payload is stored in binary form external to the JWS itself, the payload can be loaded using the -I parameter.

Please note that, when specifying the -O option to output the payload, the payload is output whether or not the signature validates. Therefore, you must check the return value of the command before trusting the data.


Parse JWS from JSON
Read JWS from FILE
Read JWS from standard input
Read decoded payload from FILE
Read decoded payload from standard input
Read JWK(Set) from FILE
Read JWK(Set) from standard input
Decode payload to FILE
Decode payload to standard output
Ensure the JWS validates with all keys


Verify a regular JWS and output the payload:

$ jose jws ver -i msg.jws -k key.jwk -O msg.txt

Verify a detached JWS without outputting the payload:

$ jose jws ver -i msg.jws -I msg.txt -k key.jwk

Ensure that a JWS is signed with all specified keys:

$ jose jws ver -i msg.jws -k ec.jwk -k rsa.jwk -a


Nathaniel McCallum <>


jose-jws-fmt(1), jose-jws-sig(1)

May 2017