Many API login and client-credential endpoints accept a JSON request body and return a JSON Web Token JWT for later requests. In wget, that keeps the token request and the protected API call in the same shell workflow.
GNU wget does not have a JWT-specific option. The normal pattern is to send the auth request with --post-file and a Content-Type: application/json header, save the JSON response, then reuse the returned token in Authorization: Bearer ... on the protected request. If the API expects another method, current GNU Wget also supports --method with --body-file.
JWTs are bearer credentials, so any copied token can usually be replayed until expiry or revocation. Keep auth-response files out of shared directories, avoid printing full tokens in terminals or logs, and confirm the provider's actual response field names before scripting around them.
Related: How to authenticate with a bearer token in wget
Related: How to send POST data with wget
Related: How to send custom headers with wget
Steps to authenticate using JSON Web Tokens in wget:
- Put the JSON auth payload in a file so the request body is easy to review and reuse.
$ cat > login.json <<'JSON' { "username": "svc-metrics-reader", "password": "replace-with-issued-secret" } JSONA file-backed payload avoids fragile shell quoting and keeps longer JSON requests readable.
- Request the JWT from the auth endpoint and save the response body for inspection.
$ wget --quiet --server-response --output-document=auth-response.json \ --header='Content-Type: application/json' \ --post-file=login.json \ https://api.example.net/jwt/token HTTP/1.1 200 OK Content-Type: application/json Content-Length: 226
For a standard token POST, --post-file is the shortest path. Use --method with --body-file only when the API expects a different HTTP method.
- Inspect the returned JSON and identify the field that contains the issued JWT.
$ jq . auth-response.json { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdmMtbWV0cmljcy1yZWFkZXIiLCJzY29wZSI6Im1ldHJpY3M6cmVhZCIsImF1ZCI6ImFwaS5leGFtcGxlLm5ldCJ9.c2lnbmF0dXJlLXJlZGFjdGVk", "token_type": "Bearer", "expires_in": 3600 }Many services return the token in access_token, but some APIs use accessToken or token instead.
- Extract the token into a shell variable without printing the full value.
$ ACCESS_TOKEN="$(jq -re '.access_token // .accessToken // .token' auth-response.json)" $ printf 'token bytes=%s\n' "${#ACCESS_TOKEN}" token bytes=162Do not paste the full JWT into support tickets, copied shell transcripts, screenshots, or CI logs.
- Send the protected request with the bearer header and confirm that the API treats the call as authenticated.
$ wget -qO- --header="Authorization: Bearer ${ACCESS_TOKEN}" https://api.example.net/jwt/protected { "authenticated": true, "subject": "svc-metrics-reader", "scope": "metrics:read" }The protected endpoint should return the expected application payload, not an HTML sign-in page, redirect target, or auth error body.
- Remove the saved response and clear the token from the current shell when the request is finished.
$ rm -f auth-response.json login.json $ unset ACCESS_TOKEN
Cleanup matters because the saved response file and the shell variable both contain reusable credentials until the token expires or is revoked.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
