{"id":15030664,"url":"https://github.com/keats/jsonwebtoken","last_synced_at":"2025-05-14T22:05:40.325Z","repository":{"id":37730281,"uuid":"45360444","full_name":"Keats/jsonwebtoken","owner":"Keats","description":"JWT lib in rust","archived":false,"fork":false,"pushed_at":"2025-05-04T20:13:02.000Z","size":383,"stargazers_count":1824,"open_issues_count":65,"forks_count":292,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-05-14T22:05:12.335Z","etag":null,"topics":["jsonwebtoken","jwt","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keats.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-11-01T22:35:34.000Z","updated_at":"2025-05-14T09:09:49.000Z","dependencies_parsed_at":"2023-11-06T11:48:10.618Z","dependency_job_id":"c41a6972-8413-47fa-aa66-1899b8f6b1cd","html_url":"https://github.com/Keats/jsonwebtoken","commit_stats":{"total_commits":315,"total_committers":80,"mean_commits":3.9375,"dds":0.6984126984126984,"last_synced_commit":"c733c786fc9a31362ad21a7498cbd926d1aa7e4b"},"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keats%2Fjsonwebtoken","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keats%2Fjsonwebtoken/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keats%2Fjsonwebtoken/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keats%2Fjsonwebtoken/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keats","download_url":"https://codeload.github.com/Keats/jsonwebtoken/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254235687,"owners_count":22036962,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jsonwebtoken","jwt","rust"],"created_at":"2024-09-24T20:14:00.085Z","updated_at":"2025-05-14T22:05:40.245Z","avatar_url":"https://github.com/Keats.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# jsonwebtoken\n\n[API documentation on docs.rs](https://docs.rs/jsonwebtoken/)\n\nSee [JSON Web Tokens](https://en.wikipedia.org/wiki/JSON_Web_Token) for more information on what JSON Web Tokens are.\n\n## Installation\nAdd the following to Cargo.toml:\n\n```toml\njsonwebtoken = \"9\"\n# If you do not need pem decoding, you can disable the default feature `use_pem` that way:\n# jsonwebtoken = {version = \"9\", default-features = false }\nserde = {version = \"1.0\", features = [\"derive\"] }\n```\n\nThe minimum required Rust version (MSRV) is specified in the `rust-version` field in this project's [Cargo.toml](Cargo.toml).\n\n## Algorithms\nThis library currently supports the following:\n\n- HS256\n- HS384\n- HS512\n- RS256\n- RS384\n- RS512\n- PS256\n- PS384\n- PS512\n- ES256\n- ES384\n- EdDSA\n\n\n## How to use\nComplete examples are available in the examples directory: a basic one and one with a custom header.\n\nIn terms of imports and structs:\n```rust\nuse serde::{Serialize, Deserialize};\nuse jsonwebtoken::{encode, decode, Header, Algorithm, Validation, EncodingKey, DecodingKey};\n\n/// Our claims struct, it needs to derive `Serialize` and/or `Deserialize`\n#[derive(Debug, Serialize, Deserialize)]\nstruct Claims {\n    sub: String,\n    company: String,\n    exp: usize,\n}\n```\n\n### Claims\nThe claims fields which can be validated. (see [validation](#validation))\n\n```rust\n#[derive(Debug, Serialize, Deserialize)]\nstruct Claims {\n    aud: String,         // Optional. Audience\n    exp: usize,          // Required (validate_exp defaults to true in validation). Expiration time (as UTC timestamp)\n    iat: usize,          // Optional. Issued at (as UTC timestamp)\n    iss: String,         // Optional. Issuer\n    nbf: usize,          // Optional. Not Before (as UTC timestamp)\n    sub: String,         // Optional. Subject (whom token refers to)\n}\n```\n\n### Header\nThe default algorithm is HS256, which uses a shared secret.\n\n```rust\nlet token = encode(\u0026Header::default(), \u0026my_claims, \u0026EncodingKey::from_secret(\"secret\".as_ref()))?;\n```\n\n#### Custom headers \u0026 changing algorithm\nAll the parameters from the RFC are supported but the default header only has `typ` and `alg` set.\nIf you want to set the `kid` parameter or change the algorithm for example:\n\n```rust\nlet mut header = Header::new(Algorithm::HS512);\nheader.kid = Some(\"blabla\".to_owned());\n\nlet mut extras = HashMap::with_capacity(1);\nextras.insert(\"custom\".to_string(), \"header\".to_string());\nheader.extras = Some(extras);\n\nlet token = encode(\u0026header, \u0026my_claims, \u0026EncodingKey::from_secret(\"secret\".as_ref()))?;\n```\nLook at `examples/custom_header.rs` for a full working example.\n\n### Encoding\n\n```rust\n// HS256\nlet token = encode(\u0026Header::default(), \u0026my_claims, \u0026EncodingKey::from_secret(\"secret\".as_ref()))?;\n// RSA\nlet token = encode(\u0026Header::new(Algorithm::RS256), \u0026my_claims, \u0026EncodingKey::from_rsa_pem(include_bytes!(\"privkey.pem\"))?)?;\n```\nEncoding a JWT takes 3 parameters:\n\n- a header: the `Header` struct\n- some claims: your own struct\n- a key/secret\n\nWhen using HS256, HS384, or HS512, the key is always a shared secret like in the example above. When using\nRSA/EC, the key should always be the content of the private key in PEM or DER format.\n\nIf your key is in PEM format, it is better performance wise to generate the `EncodingKey` once in a `lazy_static` or\nsomething similar and reuse it.\n\n### Decoding\n\n```rust\n// `token` is a struct with 2 fields: `header` and `claims` where `claims` is your own struct.\nlet token = decode::\u003cClaims\u003e(\u0026token, \u0026DecodingKey::from_secret(\"secret\".as_ref()), \u0026Validation::default())?;\n```\n`decode` can result in errors for a variety of reasons:\n\n- the token or its signature is invalid\n- the token had invalid base64\n- validation of at least one reserved claim failed\n\nAs with encoding, when using HS256, HS384, or HS512, the key is always a shared secret like in the example above. When using\nRSA/EC, the key should always be the content of the public key in PEM (or certificate in this case) or DER format.\n\nIn some cases, for example if you don't know the algorithm used or need to grab the `kid`, you can choose to decode only the header:\n\n```rust\nlet header = decode_header(\u0026token)?;\n```\n\nThis does not perform any signature verification or validate the token claims.\n\nYou can also decode a token using the public key components of a RSA key in base64 format.\nThe main use-case is for JWK where your public key is in a JSON format like so:\n\n```json\n{\n   \"kty\":\"RSA\",\n   \"e\":\"AQAB\",\n   \"kid\":\"6a7a119f-0876-4f7e-8d0f-bf3ea1391dd8\",\n   \"n\":\"yRE6rHuNR0QbHO3H3Kt2pOKGVhQqGZXInOduQNxXzuKlvQTLUTv4l4sggh5_CYYi_cvI-SXVT9kPWSKXxJXBXd_4LkvcPuUakBoAkfh-eiFVMh2VrUyWyj3MFl0HTVF9KwRXLAcwkREiS3npThHRyIxuy0ZMeZfxVL5arMhw1SRELB8HoGfG_AtH89BIE9jDBHZ9dLelK9a184zAf8LwoPLxvJb3Il5nncqPcSfKDDodMFBIMc4lQzDKL5gvmiXLXB1AGLm8KBjfE8s3L5xqi-yUod-j8MtvIj812dkS4QMiRVN_by2h3ZY8LYVGrqZXZTcgn2ujn8uKjXLZVD5TdQ\"\n}\n```\n\n```rust\n// `token` is a struct with 2 fields: `header` and `claims` where `claims` is your own struct.\nlet token = decode::\u003cClaims\u003e(\u0026token, \u0026DecodingKey::from_rsa_components(jwk[\"n\"], jwk[\"e\"]), \u0026Validation::new(Algorithm::RS256))?;\n```\n\nIf your key is in PEM format, it is better performance wise to generate the `DecodingKey` once in a `lazy_static` or\nsomething similar and reuse it.\n\n### Convert SEC1 private key to PKCS8\n`jsonwebtoken` currently only supports PKCS8 format for private EC keys. If your key has `BEGIN EC PRIVATE KEY` at the top,\nthis is a SEC1 type and can be converted to PKCS8 like so:\n\n```bash\nopenssl pkcs8 -topk8 -nocrypt -in sec1.pem -out pkcs8.pem\n```\n\n\n## Validation\nThis library automatically validates the `exp` claim, and `nbf` is validated if present. You can also validate the `sub`, `iss`, and `aud` but\nthose require setting the expected values in the `Validation` struct. In the case of `aud`, if there is a value set in the token but\nnot in the `Validation`, the token will be rejected.\n\nValidation is only made on present fields in the claims. It is possible to define the required claims, hence verifying that a JWT has a value for each of these claims before it is considered for validation. The required claims can be set in the `Validation` struct. The default option requires the `exp` claim to be present.\n\nSince validating time fields is always a bit tricky due to clock skew,\nyou can add some leeway to the `iat`, `exp`, and `nbf` validation by setting the `leeway` field.\n\nLast but not least, you will need to set the algorithm(s) allowed for this token if you are not using `HS256`.\n\nLook at `examples/validation.rs` for a full working example.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeats%2Fjsonwebtoken","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeats%2Fjsonwebtoken","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeats%2Fjsonwebtoken/lists"}