{"id":20272278,"url":"https://github.com/kubetrail/jwt","last_synced_at":"2025-08-11T05:13:28.133Z","repository":{"id":43937088,"uuid":"452307413","full_name":"kubetrail/jwt","owner":"kubetrail","description":"CLI: Encode custom key-value pairs as a signed JWT token","archived":false,"fork":false,"pushed_at":"2022-02-13T14:26:54.000Z","size":51,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-08T01:43:04.059Z","etag":null,"topics":["golang","jwt","jwt-token","signing","validation"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubetrail.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-01-26T14:29:21.000Z","updated_at":"2022-02-19T13:10:48.000Z","dependencies_parsed_at":"2022-09-09T18:44:14.939Z","dependency_job_id":null,"html_url":"https://github.com/kubetrail/jwt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kubetrail/jwt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubetrail%2Fjwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubetrail%2Fjwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubetrail%2Fjwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubetrail%2Fjwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubetrail","download_url":"https://codeload.github.com/kubetrail/jwt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubetrail%2Fjwt/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269832992,"owners_count":24482350,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-11T02:00:10.019Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","jwt","jwt-token","signing","validation"],"created_at":"2024-11-14T12:42:42.693Z","updated_at":"2025-08-11T05:13:28.111Z","avatar_url":"https://github.com/kubetrail.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# jwt\nEncode key-value pairs to a JWT token and decode to JSON\nusing private key that is encrypted using Google KMS\nensuring that the plaintext private key is never written\nto the disk.\n\n## disclaimer\n\u003e The use of this tool does not guarantee security or usability for\n\u003e any particular use. Please review the code and use at your own risk.\n\n## installation\nThis step assumes you have [Go compiler toolchain](https://go.dev/dl/)\ninstalled on your system.\n\nDownload the code and cd to the folder, then run\n```bash\ngo install\n```\n\nSetup autocompletion for your shell. For instance set\nfollowing for `bash`:\n```bash\nsource \u003c(jwt completion bash)\n```\n\n## usage\nEncoding signs token using private key and decoding validates\nusing public key. These keys can be generated such that the\nprivate key is Google KMS encrypted:\n\n### keygen\n```bash\njwt keygen\n```\nThis will output two files, `id` and `id.pub` where `id` is the\nprivate key and is encrypted using Google KMS. KMS key name and other\nparameters can either be supplied on the command line or set\nas env. var. Pl. see help for more details.\n\nGoogle KMS encryption can be turned off using `--no-kms` flag:\n```bash\njwt keygen --no-kms\n```\n\nThe default keygen algorithm is RSA, however, other algorithms can\nbe invoked using `--alg` flag:\n```bash\njwt keygen --alg=ES256\n```\nPl. see help for more info on supported algorithm.\n\n\u003e HS256, HS384, HS512 algorithms generate a shared secret,\n\u003e which should not be encrypted using KMS. Pl. disable KMS\n\u003e when using one of these algorithms since the public keys\n\u003e are never encrypted and tool expects them to be in plaintext.\n\n### encode\nCustom key-value pairs can now be encoded to a JWT token and signed\nusing private key. Explicit flags are provided for a few standard\nclaims and certain keys are not allowed to be set such as token id.\n\nIn the most basic form a key-value can be provided as the argument\nas follows:\n```bash\njwt encode x=y\neyJhbGciOiJSUzI1NiIsImtpZCI6ImY1OTQ5Njg4LTM3ODctMDE0MC1hNGJmLWJlZTNmZTdkMzZkMyIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJqd3QtZGVjb2RlIiwiaWF0IjoxNjQzNDA4MTEwLCJpc3MiOiJqd3QtZW5jb2RlIiwianRpIjoiNjA5YzVlOTgtZDk2YS00MTEyLWFmY2QtMTU1Nzc5NTE4NDMyIiwieCI6InkifQ.BtcJ7P9JLyubH-WrPVoGPBYR0j02Q_10XnO4aR7weboTFiascC0029eRpm4Zt9Cdg_vidCeVKSXqpanMeCok3MfyLE77pbRlEYX98tyyhDN9HO7zX2PkKZvhENC7dxUIjP-Og7fI15StvImIhTYZ3tSIoEtr6RR-UgQ-0vqMAwCz_NmAUlCM-8gLUpGxriWYxp0iFGWfA31TFVRACg8dsnX5Anz37PGRlKj9BfAruZ6MixFvMXuCkZFyFHQOzr66ONO0vAWIqCe0kudiAJQzHgkovHK_Z32ckLeMZQvVB04wfVTRto5YMPSuCP-p5D_0aQcA8WG0g1n_Z9SFC-mLrw\n```\nYou can inspect the token structure [here](https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImY1OTQ5Njg4LTM3ODctMDE0MC1hNGJmLWJlZTNmZTdkMzZkMyIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJqd3QtZGVjb2RlIiwiaWF0IjoxNjQzNDA4MTEwLCJpc3MiOiJqd3QtZW5jb2RlIiwianRpIjoiNjA5YzVlOTgtZDk2YS00MTEyLWFmY2QtMTU1Nzc5NTE4NDMyIiwieCI6InkifQ.BtcJ7P9JLyubH-WrPVoGPBYR0j02Q_10XnO4aR7weboTFiascC0029eRpm4Zt9Cdg_vidCeVKSXqpanMeCok3MfyLE77pbRlEYX98tyyhDN9HO7zX2PkKZvhENC7dxUIjP-Og7fI15StvImIhTYZ3tSIoEtr6RR-UgQ-0vqMAwCz_NmAUlCM-8gLUpGxriWYxp0iFGWfA31TFVRACg8dsnX5Anz37PGRlKj9BfAruZ6MixFvMXuCkZFyFHQOzr66ONO0vAWIqCe0kudiAJQzHgkovHK_Z32ckLeMZQvVB04wfVTRto5YMPSuCP-p5D_0aQcA8WG0g1n_Z9SFC-mLrw)\nAs you see the header contains key ID which is a UUID generated from\nthe MD5 sum of the private key bytes (after KMS decryption as necessary).\nTherefore, header key ID will always remain the same as long as the same\nkey is being used for signing.\n\nThe payload, however, contains token ID `jti`, which is unique to that\nparticular token. Each new token will have a unique token ID.\n\n`iat` refers to issued-at-time and is denoted in seconds.\n\nString, numbers and boolean key-values can be encoded as follows:\n```bash\njwt encode \\\n\t--str=name=xyz \\\n\t--str=loc=zz \\\n\t--num=temp=25.7 \\\n\t--num=pres=1000 \\\n\t--bool=frozen=false \\\n\t--bool=windy=true\n```\n\nActivation and expiry times can be set relative to `now`. In the example\nbelow the token is set to activate 10 seconds from the generation time\nand expire in 100 seconds after generation. These time limits determine\ntoken validity during decoding as discussed below.\n```bash\njwt encode \\\n\t--audience=self \\\n\t--issuer=self \\\n\t--active-in-seconds=10 \\\n\t--expires-in-seconds=100\n```\n\n### decoding\nToken decoding uses public key and in the example below token is passed \nvia STDIN:\n```bash\njwt encode \\\n\t--str=name=xyz \\\n\t--str=loc=zz \\\n\t--num=temp=25.7 \\\n\t--num=pres=1000 \\\n\t--bool=frozen=false \\\n\t--bool=windy=true \\\n\t| jwt decode \\\n\t| jq '.'\n```\n```json\n{\n  \"header\": {\n    \"alg\": \"RS256\",\n    \"kid\": \"f5949688-3787-0140-a4bf-bee3fe7d36d3\",\n    \"typ\": \"JWT\"\n  },\n  \"claims\": {\n    \"aud\": \"jwt-decode\",\n    \"frozen\": false,\n    \"iat\": 1643379005,\n    \"iss\": \"jwt-encode\",\n    \"jti\": \"7e0b960c-fcb8-4249-ba03-ef9c5f37b677\",\n    \"loc\": \"zz\",\n    \"name\": \"xyz\",\n    \"pres\": 1000,\n    \"temp\": 25.7,\n    \"windy\": true\n  },\n  \"valid\": true\n}\n```\n\nOptionally skip validation. For instance, setting token\nactivation in future will cause decoding to fail before\nthat time:\n```bash\njwt encode \\\n\t--active-in-seconds=10 \\\n\t| jwt decode --skip-validation \\\n\t| jq '.'\n```\n```json\n{\n  \"header\": {\n    \"alg\": \"RS256\",\n    \"kid\": \"f5949688-3787-0140-a4bf-bee3fe7d36d3\",\n    \"typ\": \"JWT\"\n  },\n  \"claims\": {\n    \"aud\": \"jwt-decode\",\n    \"iat\": 1643379090,\n    \"iss\": \"jwt-encode\",\n    \"jti\": \"9e7f1aad-9e00-4f97-b73b-f3b83a522921\",\n    \"nbf\": 1643379100\n  },\n  \"valid\": false\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubetrail%2Fjwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubetrail%2Fjwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubetrail%2Fjwt/lists"}