In certain situations, decrypting an Access Token is often the only way of retrieving important token related information without going through the UI.
For example, if a user forgets the Token ID of the token they're using, they would not be able to accurately determine the expiration date of their token in the UI as token values themselves are not stored. Or perhaps a user forgot their Token ID and the actual token value, and they only have access to the reference token.
The best way of decoding an Access Token in the form of a JWT (Json Web Token) would be to use the below script:
# Replace "your_jwt_token" with your actual JWT token
JWT="your_jwt_token"
# Decode the header
echo $JWT | awk -F "." '{print $1}' | base64 --decode
# Decode the payload
echo $JWT | awk -F "." '{print $2}' | base64 --decode
Which should print out an output like below indicating the token information:
{"ver":"2","typ":"JWT","alg":"RS256","kid":"6mz1j0TFjm43AbyEWL-QLTU6dZ6GSAwbw03wL-RhqkM{"sub":"jfac@01jp2ncgv5wsj40hxsgre70ehd/users/admin","scp":"applied-permissions/admin","aud":"*@*","iss":"jffe@01jp2ncgv5wsj40hxsgre70ehd","exp":1741800685,"iat":1741714285,"jti":"24a044c0-9d4b-4c14-8530-fa159e08ec21
In the case that we don't have access to the full JWT token, but only have the reference token, we can still decode expiry information about the token like below:
echo "cmVmdGtuOjAxOjIxMDIxNDQwNjA6aTQxb2ltYlRCaWdaakJjWlZVY0FvSW1iU2F4" | base64 -d
reftkn:01:2102144060:i41oimbTBigZjBcZVUcAoImbSax%
As shown, the expiry timestamp for the above reference token would be 2102144060. And when converted from epoch time to local time via https://www.epochconverter.com, this translates to the expiry date for the token.