{"id":36660816,"url":"https://github.com/davidul/jwt","last_synced_at":"2026-01-12T10:27:39.566Z","repository":{"id":151357259,"uuid":"436300404","full_name":"davidul/jwt","owner":"davidul","description":"JWT Utils","archived":false,"fork":false,"pushed_at":"2024-05-18T08:14:58.000Z","size":154,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-05-18T09:25:19.374Z","etag":null,"topics":["jwt"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/davidul.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-08T15:38:20.000Z","updated_at":"2024-05-18T09:25:25.826Z","dependencies_parsed_at":"2024-03-02T07:22:49.103Z","dependency_job_id":"457d68f8-6b9e-49c7-ae59-f821c015c97e","html_url":"https://github.com/davidul/jwt","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/davidul/jwt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidul%2Fjwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidul%2Fjwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidul%2Fjwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidul%2Fjwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/davidul","download_url":"https://codeload.github.com/davidul/jwt/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidul%2Fjwt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28338294,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T06:09:07.588Z","status":"ssl_error","status_checked_at":"2026-01-12T06:05:18.301Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt"],"created_at":"2026-01-12T10:27:39.483Z","updated_at":"2026-01-12T10:27:39.557Z","avatar_url":"https://github.com/davidul.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JWT Command line\r\n\r\nCommand line application for testing JWT. You can generate JWT and sign it.\r\nYou can also generate public and private key for testing purposes.\r\n## Commands\r\n```shell\r\nhelp\r\ndecode  Decodes JWT Token\r\nencode  Encodes JWT Token\r\ngen     Generates JWT Token\r\ngenkeys Generates public and private key\r\n```\r\n### Help\r\n```shell\r\n./jwt help\r\n```\r\n\r\n### Generate Sample token\r\n\r\n`gen` command will generate sample token.\r\n```shell\r\n./jwt gen \r\n```\r\nThis token does not contain custom claims. Just standard\r\nclaims. Output looks like this\r\n\r\n```\r\n=== Generating Simple Token ===\r\nHeader\r\n        typ : JWT \r\n        alg : HS256 \r\nStandard Claims\r\n        iss : iss \r\n        nbf : 2018-12-31T01:00:00+01:00 \r\n        sub : sub \r\n        aud : aud \r\n        exp : 2020-01-01T01:00:00+01:00 \r\n        iat : 2018-12-30T01:00:00+01:00 \r\n\r\n Signed string: \r\neyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdWQiLCJleHAiOjE1Nzc4MzY4MDAsImlhdCI6MTU0NjEyODAwMCwiaXNzIjoiaXNzIiwibmJmIjoxNTQ2MjE0NDAwLCJzdWIiOiJzdWIifQ.vE5HikL25S3CUEuOEE9_GhcOtaXTsS5PSURVeR880iM\r\n```\r\nDefault secret is `AllYourBase`\r\nYou can change the secret with `--secret` flag.\r\n```shell\r\n./jwt gen --secret mysecret\r\n```\r\n\r\nChange the signing method\r\n```shell\r\n./jwt gen --signingmethod HS384\r\n```\r\n\r\nPossible signing methods are\r\n```\r\nHS256 | HS384 | HS512 (default \"HS256\")\r\n```\r\n\r\n\r\n### Generate Public/Private Key\r\n`genkeys` will generate private and public key to `stdout`.\r\n\r\nFlags\r\n```\r\n--keypath string   path to directory where keys will be stored (default \".\")\r\n--privatekey string   private key file name (default \"private.pem\")\r\n--publickey string   public key file name (default \"public.pem\")\r\n\r\n```\r\n\r\n```shell\r\njwt genkeys\r\n```\r\nWill generate private and public key to stdout.\r\n\r\nSpecify file path, this will generate `private.pem` and `public.pem` in current directory.\r\n```shell\r\njwt genkeys --keypath .\r\n```\r\n\r\nVerify keys\r\n```shell\r\nopenssl rsa -in path/to/rsa_key.pem -text -noout\r\n```\r\n\r\nSpecify file name\r\n```shell\r\n./jwt genkeys --keypath . --privatekey pk --publickey puk\r\n```\r\n\r\nThis will generate private and public key in current directory.\r\nThese keys can be used for signing and verifying JWT (testing purposes only).\r\n\r\n\r\n### Encode JWT\r\n\r\n```shell\r\n./jwt encode --secret test '{\"sub\":\"1234567890\",\"name\":\"John Doe\",\"admin\":true}'\r\n```\r\n\r\nStore JWT in file\r\n```shell\r\n./jwt encode -f jwt.json '{\"sub\":\"1234567890\",\"name\":\"John Doe\",\"admin\":true}' \r\n```\r\n\r\nYou can also specify a key within the file\r\n```shell\r\n./jwt encode -f jwt.json -k sample2 '{\"sub\":\"1234567890\",\"name\":\"John Doe\",\"admin\":true}'\r\n```\r\n\r\nThe file structure is\r\n```json\r\n{\r\n\t\"sample2\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZSwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMTIzNDU2Nzg5MCJ9.tmEp2UgCbOCUSTedc2Ce2HGmIFv7v36g9lM7nstNz8k\"\r\n}\r\n```\r\n\r\n\r\n### Decode JWT\r\n\r\n```shell\r\n./jwt decode eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdWQiLCJleHAiOjE3MjIxNTIxNjgsImlhdCI6MTY5MDM1Njk2OCwiaXNzIjoiaXNzIiwibmJmIjoxNjkwNDQzMzY4LCJzdWIiOiJzdWIifQ._1L7ZTk4QpybaCk4rx2pgTwl1cGaRl8W9AUH_T3TfT0 AllYourBase\r\n```\r\n\r\n# JWT Samples\r\nJSON Web tokens defined in [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519) . \r\nJWT represents set of claims. \r\n\r\nJWT stands for \"JSON Web Token.\" It is a compact and self-contained way of representing \r\ninformation between two parties in a secure manner as a JSON object. \r\nJWT is commonly used for authentication and authorization in web applications and APIs.\r\n\r\nThe JWT is typically issued by an authentication server when a user logs in or \r\nrequests access to certain protected resources. The client (usually a web browser or mobile app) \r\nthen includes the JWT in the Authorization header when making subsequent requests to the server. \r\nThe server can then validate the JWT to authenticate the user and authorize access to the requested resources.\r\n\r\nSince JWTs are digitally signed, they are tamper-proof. This means that the server can trust the information \r\ncontained in the token without the need to store session information on the server side. \r\nThis makes JWT a stateless and scalable approach for user authentication and authorization in distributed systems. \r\nHowever, it's essential to keep the secret used for signing JWTs secure to prevent unauthorized access and tampering.\r\n## JWT Structure\r\nJWT is a string consisting of three parts separated by dots.\r\n```\r\nheader.payload.signature\r\n```\r\n### Header\r\nHeader is a JSON object containing information about the token.\r\n```json\r\n{\r\n  \"typ\": \"JWT\",\r\n  \"alg\": \"HS256\"\r\n}\r\n```\r\nWhat is the purpose of the header? It is used to tell the receiver\r\nhow to validate the token. In this case the token is signed with HMAC\r\nusing SHA-256.\r\nWhat is the purpose of the typ? It is used to tell the receiver\r\nwhat is the type of the token. In this case it is JWT.\r\nWhat other types are there? There is JWE (JSON Web Encryption).\r\n\r\n### Payload\r\nPayload is a JSON object containing claims.\r\n```json\r\n{\r\n  \"sub\": \"1234567890\",\r\n  \"name\": \"John Doe\",\r\n  \"admin\": true\r\n}\r\n```\r\n### Signature\r\nSignature is a hash of header and payload. \r\n```shell\r\nHMACSHA256(\r\n  base64UrlEncode(header) + \".\" +\r\n  base64UrlEncode(payload),\r\n  secret)\r\n```\r\n## JWT Claims\r\nClaims are key-value pairs holding information about a subject.\r\n\r\n### Registered Claims\r\nRegistered claims are predefined claims.\r\n```\r\niss (issuer)\r\nsub (subject)\r\naud (audience)\r\nexp (expiration time)\r\nnbf (not before)\r\niat (issued at)\r\njti (JWT ID)\r\n```\r\n### Public Claims\r\nPublic claims are defined by RFC 7519. \r\n```\r\nhttps://www.iana.org/assignments/jwt/jwt.xhtml\r\n```\r\n### Private Claims\r\nPrivate claims are custom claims defined by the user.\r\n\r\n## JOSE Header\r\nJavascript Object Signing and Encryption\r\nExample JOSE header\r\n```json\r\n{\r\n  \"typ\": \"JWT\",\r\n  \"alg\": \"HS256\"\r\n}\r\n```\r\n\r\nMAC is message authentication code.\r\nHMAC is hash based message authentication code.\r\nHMAC is symmetric signature, you have to pick a secret phrase\r\nwhich will be used in signing. In other words you have to have\r\na shared key, so the other party can validate the message.\r\n\r\nTo overcome the issue with shared keys (how to share it in secure manner) \r\nyou can also use public key cryptography.\r\n\r\nSigning algorithms\r\n```\r\n+--------------+-------------------------------+--------------------+\r\n| \"alg\" Param  | Digital Signature or MAC      | Implementation     |\r\n| Value        | Algorithm                     | Requirements       |\r\n+--------------+-------------------------------+--------------------+\r\n| HS256        | HMAC using SHA-256            | Required           |\r\n| HS384        | HMAC using SHA-384            | Optional           |\r\n| HS512        | HMAC using SHA-512            | Optional           |\r\n| RS256        | RSASSA-PKCS1-v1_5 using       | Recommended        |\r\n|              | SHA-256                       |                    |\r\n| RS384        | RSASSA-PKCS1-v1_5 using       | Optional           |\r\n|              | SHA-384                       |                    |\r\n| RS512        | RSASSA-PKCS1-v1_5 using       | Optional           |\r\n|              | SHA-512                       |                    |\r\n| ES256        | ECDSA using P-256 and SHA-256 | Recommended+       |\r\n| ES384        | ECDSA using P-384 and SHA-384 | Optional           |\r\n| ES512        | ECDSA using P-521 and SHA-512 | Optional           |\r\n| PS256        | RSASSA-PSS using SHA-256 and  | Optional           |\r\n|              | MGF1 with SHA-256             |                    |\r\n| PS384        | RSASSA-PSS using SHA-384 and  | Optional           |\r\n|              | MGF1 with SHA-384             |                    |\r\n| PS512        | RSASSA-PSS using SHA-512 and  | Optional           |\r\n|              | MGF1 with SHA-512             |                    |\r\n| none         | No digital signature or MAC   | Optional           |\r\n|              | performed                     |                    |\r\n+--------------+-------------------------------+--------------------+\r\n```\r\n\r\n## JWT Claims\r\nClaims are key-value pairs holding information about a subject.\r\n\r\nCommandline application for testing JWT. You can generate JWT and sign it.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidul%2Fjwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdavidul%2Fjwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidul%2Fjwt/lists"}