How to authenticate using JSON Web Tokens in wget

Many API login and client-credential endpoints accept a JSON request body and return a JSON Web Token JWT for later requests. In wget, that keeps the token request and the protected API call in the same shell workflow.

GNU wget does not have a JWT-specific option. The normal pattern is to send the auth request with --post-file and a Content-Type: application/json header, save the JSON response, then reuse the returned token in Authorization: Bearer ... on the protected request. If the API expects another method, current GNU Wget also supports --method with --body-file.

JWTs are bearer credentials, so any copied token can usually be replayed until expiry or revocation. Keep auth-response files out of shared directories, avoid printing full tokens in terminals or logs, and confirm the provider's actual response field names before scripting around them.

Related: How to authenticate with a bearer token in wget
Related: How to send POST data with wget
Related: How to send custom headers with wget

Steps to authenticate using JSON Web Tokens in wget:

  1. Put the JSON auth payload in a file so the request body is easy to review and reuse. 
    $ cat > login.json <<'JSON'
{
  "username": "svc-metrics-reader",
  "password": "replace-with-issued-secret"
}
JSON

    A file-backed payload avoids fragile shell quoting and keeps longer JSON requests readable.

  2. Request the JWT from the auth endpoint and save the response body for inspection. 
    $ wget --quiet --server-response --output-document=auth-response.json \
  --header='Content-Type: application/json' \
  --post-file=login.json \
  https://api.example.net/jwt/token
  HTTP/1.1 200 OK
  Content-Type: application/json
  Content-Length: 226

    For a standard token POST, --post-file is the shortest path. Use --method with --body-file only when the API expects a different HTTP method.

  3. Inspect the returned JSON and identify the field that contains the issued JWT. 
    $ jq . auth-response.json
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdmMtbWV0cmljcy1yZWFkZXIiLCJzY29wZSI6Im1ldHJpY3M6cmVhZCIsImF1ZCI6ImFwaS5leGFtcGxlLm5ldCJ9.c2lnbmF0dXJlLXJlZGFjdGVk",
  "token_type": "Bearer",
  "expires_in": 3600
}

    Many services return the token in access_token, but some APIs use accessToken or token instead.

  4. Extract the token into a shell variable without printing the full value. 
    $ ACCESS_TOKEN="$(jq -re '.access_token // .accessToken // .token' auth-response.json)"
$ printf 'token bytes=%s\n' "${#ACCESS_TOKEN}"
token bytes=162

    Do not paste the full JWT into support tickets, copied shell transcripts, screenshots, or CI logs.

  5. Send the protected request with the bearer header and confirm that the API treats the call as authenticated. 
    $ wget -qO- --header="Authorization: Bearer ${ACCESS_TOKEN}" https://api.example.net/jwt/protected
{
  "authenticated": true,
  "subject": "svc-metrics-reader",
  "scope": "metrics:read"
}

    The protected endpoint should return the expected application payload, not an HTML sign-in page, redirect target, or auth error body.

  6. Remove the saved response and clear the token from the current shell when the request is finished. 
    $ rm -f auth-response.json login.json
$ unset ACCESS_TOKEN

    Cleanup matters because the saved response file and the shell variable both contain reusable credentials until the token expires or is revoked.