{"id":48915253,"url":"https://github.com/godaddy/sso-jwt","last_synced_at":"2026-04-17T02:00:35.387Z","repository":{"id":351161163,"uuid":"1209776815","full_name":"godaddy/sso-jwt","owner":"godaddy","description":"Eliminate plaintext credentials: SSO-derived JWTs secured by Secure Enclave and TPM 2.0","archived":false,"fork":false,"pushed_at":"2026-04-13T22:05:17.000Z","size":281,"stargazers_count":0,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T22:16:39.703Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/godaddy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":"THREAT_MODEL.md","audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-13T19:14:05.000Z","updated_at":"2026-04-13T21:23:53.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/godaddy/sso-jwt","commit_stats":null,"previous_names":["godaddy/sso-jwt"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/godaddy/sso-jwt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Fsso-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Fsso-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Fsso-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Fsso-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/godaddy","download_url":"https://codeload.github.com/godaddy/sso-jwt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Fsso-jwt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31911846,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-16T18:22:33.417Z","status":"online","status_checked_at":"2026-04-17T02:00:06.879Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-17T02:00:25.120Z","updated_at":"2026-04-17T02:00:35.380Z","avatar_url":"https://github.com/godaddy.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sso-jwt\n\nRust toolkit for obtaining SSO JWTs with hardware-backed secure caching.\n\n`sso-jwt` replaces the older Node.js `ssojwt` workflow with a native implementation that:\n\n- caches tokens encrypted at rest\n- supports Secure Enclave, TPM, WSL bridge, and software fallback backends\n- uses server-profile configuration instead of hardcoded single-endpoint assumptions\n- supports both CLI and Node.js consumers\n\n## Workspace\n\n| Crate | Purpose |\n|---|---|\n| [`sso-jwt`](sso-jwt/) | CLI binary |\n| [`sso-jwt-lib`](sso-jwt-lib/) | core token, config, cache, and OAuth logic |\n| [`sso-jwt-napi`](sso-jwt-napi/) | Node.js native addon |\n| [`sso-jwt-tpm-bridge`](sso-jwt-tpm-bridge/) | Windows TPM bridge for WSL |\n\n## Installation\n\n**[Download latest release](https://github.com/godaddy/sso-jwt/releases/latest)** for macOS, Windows, and Linux.\n\n### Homebrew\n\n```bash\nbrew tap godaddy/sso-jwt\nbrew install sso-jwt\n```\n\n### Scoop\n\n```powershell\nscoop bucket add sso-jwt https://github.com/godaddy/scoop-sso-jwt\nscoop install sso-jwt\n```\n\n### From source\n\n```bash\ncargo install --path sso-jwt\n```\n\n## Quick start\n\n```bash\n# safest common path\nsso-jwt exec -- terraform apply\n\n# or capture stdout for a single child process\nSSO_JWT=$(sso-jwt) terraform apply\n\n# install shell guardrails\neval \"$(sso-jwt shell-init zsh)\"\n```\n\nThe default `exec` variable name is `SSO_JWT`. Shell integration also warns on common `COMPANY_JWT` export patterns because that was used in earlier workflows.\n\n## CLI surface\n\n```text\nsso-jwt [OPTIONS] [COMMAND]\n\nCommands:\n  shell-init   Print shell integration script\n  exec         Run a command with the JWT injected into its environment\n  install      Print install guidance or configure WSL from Windows\n  uninstall    Remove WSL config on Windows or print manual removal guidance\n  add-server   Add a server profile from a URL, GitHub repo, or local file\n```\n\nKey options:\n\n- `--server`\n- `--environment`\n- `--cache-name`\n- `--risk-level`\n- `--oauth-url`\n- `--biometric`\n- `--no-open`\n- `--clear`\n\n## Configuration\n\nConfiguration lives at `~/.config/sso-jwt/config.toml`.\n\nCurrent config shape:\n\n```toml\ndefault_server = \"myco\"\nrisk_level = 2\nbiometric = false\ncache_name = \"default\"\n\n[servers.myco]\nclient_id = \"sso-jwt\"\n\n[servers.myco.environments.prod]\ndefault = true\noauth_url = \"https://sso.example.com/oauth/device\"\ntoken_url = \"https://sso.example.com/oauth/token\"\nheartbeat_url = \"https://sso.example.com/oauth/heartbeat\"\n```\n\nEnvironment variable overrides:\n\n| Variable | Purpose |\n|---|---|\n| `SSOJWT_SERVER` | server profile name |\n| `SSOJWT_ENVIRONMENT` | environment within the selected server |\n| `SSOJWT_OAUTH_URL` | direct OAuth device URL override |\n| `SSOJWT_TOKEN_URL` | token polling URL override |\n| `SSOJWT_HEARTBEAT_URL` | heartbeat URL override |\n| `SSOJWT_CLIENT_ID` | client ID override |\n| `SSOJWT_RISK_LEVEL` | risk level override |\n| `SSOJWT_BIOMETRIC` | biometric override |\n| `SSOJWT_CACHE_NAME` | cache-name override |\n\n`sso-jwt exec` uses `--env-var` to choose the child-process environment variable name. That setting is not part of the persisted config file.\n\n## Server profiles\n\nYou can add a server from a local file, URL, or GitHub repo path:\n\n```bash\nsso-jwt add-server myco --from-url ./server.toml\nsso-jwt add-server github --from-github owner/repo/path/to/server.toml\n```\n\nIf you omit the label, `add-server` stores the profile as `default` and also sets it as `default_server`.\n\n## Platform security\n\nAll platform-specific crypto comes from [libenclaveapp](https://github.com/godaddy/libenclaveapp).\n\n| Platform | Backend |\n|---|---|\n| macOS | Secure Enclave |\n| Windows | TPM 2.0 |\n| WSL | Windows TPM bridge |\n| Linux with TPM | TPM 2.0 |\n| Linux without TPM | software fallback |\n\n## Development\n\n```bash\ncargo build\ncargo test\ncargo clippy --workspace --all-targets -- -D warnings\ncargo fmt --all -- --check\n```\n\nNode addon build:\n\n```bash\ncd sso-jwt-napi\nnpm install\nnpm run build\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgodaddy%2Fsso-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgodaddy%2Fsso-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgodaddy%2Fsso-jwt/lists"}