{"id":13408754,"url":"https://github.com/pascaldekloe/jwt","last_synced_at":"2025-04-05T01:09:05.993Z","repository":{"id":50259130,"uuid":"126172102","full_name":"pascaldekloe/jwt","owner":"pascaldekloe","description":"JSON Web Token library","archived":false,"fork":false,"pushed_at":"2023-04-29T11:29:18.000Z","size":469,"stargazers_count":354,"open_issues_count":0,"forks_count":25,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-10-20T09:14:41.807Z","etag":null,"topics":["bearer-authentication","bearer-authorization","bearer-tokens","ecdsa","ed25519","hmac","hmac-authentication","http-authentication","http-bearer","json-web-token","jwk","jwt","jwt-bearer-tokens","rsa-signature"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pascaldekloe.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-03-21T11:59:53.000Z","updated_at":"2024-09-26T12:54:51.000Z","dependencies_parsed_at":"2024-01-08T14:30:43.687Z","dependency_job_id":"dc4884f8-fc31-4807-855d-52836232aaa1","html_url":"https://github.com/pascaldekloe/jwt","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pascaldekloe%2Fjwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pascaldekloe%2Fjwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pascaldekloe%2Fjwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pascaldekloe%2Fjwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pascaldekloe","download_url":"https://codeload.github.com/pascaldekloe/jwt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247271532,"owners_count":20911587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bearer-authentication","bearer-authorization","bearer-tokens","ecdsa","ed25519","hmac","hmac-authentication","http-authentication","http-bearer","json-web-token","jwk","jwt","jwt-bearer-tokens","rsa-signature"],"created_at":"2024-07-30T20:00:55.013Z","updated_at":"2025-04-05T01:09:05.967Z","avatar_url":"https://github.com/pascaldekloe.png","language":"Go","funding_links":[],"categories":["Authentication and Authorization","Authentication and OAuth","Go","身份验证和OAuth","认证和OAuth授权","Web Framework Hardening","Uncategorized"],"sub_categories":["Contents"],"readme":"[![API Documentation](https://godoc.org/github.com/pascaldekloe/jwt?status.svg)](https://godoc.org/github.com/pascaldekloe/jwt)\n[![Build Status](https://github.com/pascaldekloe/jwt/actions/workflows/go.yml/badge.svg)](https://github.com/pascaldekloe/jwt/actions/workflows/go.yml)\n\n## About\n\n… a JSON Web Token (JWT) library for the Go programming language.\n\n* Feature complete\n* Full test coverage\n* Dependency free\n* Key [management](https://godoc.org/github.com/pascaldekloe/jwt#KeyRegister)\n\nThe API enforces secure use by design. Unsigned tokens are [rejected](https://godoc.org/github.com/pascaldekloe/jwt#ErrUnsecured).\nNo support for encrypted tokens either—use wire encryption instead.\n\nThis is free and unencumbered software released into the\n[public domain](https://creativecommons.org/publicdomain/zero/1.0).\n\n\n## Introduction\n\nTokens encapsulate signed statements called claims. A claim is a named JSON\nvalue. Applications using JWTs should define which specific claims they use and\nwhen they are required or optional.\n\n```go\nvar claims jwt.Claims\nclaims.Subject = \"alice\"\nclaims.Issued  = jwt.NewNumericTime(time.Now().Round(time.Second))\nclaims.Set     = map[string]interface{}{\"email_verified\": false}\n// issue a JWT\ntoken, err := claims.EdDSASign(JWTPrivateKey)\n```\n\nTokens consists of printable ASCII characters, e.g.,\n`eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJha3JpZWdlciIsInByZWZpeCI6IkRyLiJ9.RTOboYsLW7zXFJyXtIypOmXfuRGVT_FpDUTs2TOuK73qZKm56JcESfsl_etnBsl7W80TXE5l5qecrMizh3XYmw`.\nSecured resources can use such tokens to determine the respective permissions.\nNote how the verification process is self-contained with just a public key.\n\n```go\n// verify a JWT\nclaims, err := jwt.EdDSACheck(token, JWTPublicKey)\nif err != nil {\n\tlog.Print(\"credentials rejected: \", err)\n\treturn\n}\nerr = claims.AcceptTemporal(time.Now(), time.Second)\nif err != nil {\n\tlog.Print(\"credential constraints violated: \", err)\n\treturn\n}\n\n// ready for use\nlog.Print(\"hello \", claims.Subject)\nif verified, _ := claims.Set[\"email_verified\"].(bool); !verified {\n\tlog.Print(\"e-mail confirmation pending\")\n}\n```\n\nCommonly, agents receive a JWT uppon authentication/login. Then, that token is\nincluded with requests to the secured resources, as a proof of authority. Token\naccess is “eyes only” in such scenario. Include and enforce more context detail\nwith claims to further reduce risk. E.g., a session identifier or a fingerprint\nof the client's TLS key can prevent usage of any hijacked tokens.\n\n\n## High-Level API\n\nServer-side security can be applied with a standard `http.Handler` setup.\nThe following example denies requests to `MyAPI` when the JWT is not valid,\nor when the JWT is missing either the subject, formatted name or roles claim.\n\n```go\n// define trusted credentials\nvar keys jwt.KeyRegister\nn, err := keys.LoadPEM(text, nil)\nif err != nil {\n\tlog.Fatal(err)\n}\nlog.Print(\"setup with \", n, \" JWT keys\")\n\nhttp.Handle(\"/api/v1\", \u0026jwt.Handler{\n\tTarget: MyAPI, // protected HTTP handler\n\tKeys:   \u0026keys,\n\n\t// map two claims to HTTP headers\n\tHeaderPrefix: \"X-Verified-\",\n\tHeaderBinding: map[string]string{\n\t\t\"sub\": \"X-Verified-User\", // registered [standard] claim\n\t\t\"fn\":  \"X-Verified-Name\", // private [custom] claim\n\t},\n\n\t// map another claim with custom logic\n\tFunc: func(w http.ResponseWriter, req *http.Request, claims *jwt.Claims) (pass bool) {\n\t\tlog.Printf(\"got a valid JWT %q for %q\", claims.ID, claims.Audiences)\n\n\t\t// map role enumeration\n\t\ts, ok := claims.String(\"roles\")\n\t\tif !ok {\n\t\t\thttp.Error(w, \"jwt: want roles claim as a string\", http.StatusForbidden)\n\t\t\treturn false\n\t\t}\n\t\treq.Header[\"X-Verified-Roles\"] = strings.Fields(s)\n\n\t\treturn true\n\t},\n})\n```\n\nWhen all applicable JWT claims are mapped to HTTP request headers, then the\nservice logic can stay free of verification code, plus easier unit testing.\n\n```go\n// Greeting is a standard HTTP handler fuction.\nfunc Greeting(w http.ResponseWriter, req *http.Request) {\n\tfmt.Fprintf(w, \"Hello %s!\\n\", req.Header.Get(\"X-Verified-Name\"))\n\tfmt.Fprintf(w, \"You are authorized as %s.\\n\", req.Header.Get(\"X-Verified-User\"))\n}\n```\n\nThe validated [Claims](https://godoc.org/github.com/pascaldekloe/jwt#Claims)\nobject may also be exposed through the\n[request context](https://godoc.org/github.com/pascaldekloe/jwt#example-Handler--Context).\n\n\n## Performance\n\nThe following results were measured with Go 1.20.3 on an Apple M1.\n\n```\nECDSA/sign-ES256-8         19.88µ ± 0%\nECDSA/sign-ES384-8         182.2µ ± 0%\nECDSA/check-ES256-8        58.65µ ± 0%\nECDSA/check-ES384-8        535.2µ ± 0%\nEdDSA/sign-EdDSA-8         21.30µ ± 1%\nEdDSA/check-EdDSA-8        47.12µ ± 1%\nHMAC/sign-HS256-8          660.1n ± 0%\nHMAC/sign-HS256-reuse-8    458.3n ± 1%\nHMAC/sign-HS384-8          1.028µ ± 0%\nHMAC/sign-HS384-reuse-8    600.4n ± 0%\nHMAC/sign-HS512-8          1.053µ ± 0%\nHMAC/sign-HS512-reuse-8    616.6n ± 0%\nHMAC/check-HS256-8         1.826µ ± 0%\nHMAC/check-HS256-reuse-8   1.611µ ± 1%\nHMAC/check-HS384-8         2.271µ ± 1%\nHMAC/check-HS384-reuse-8   1.786µ ± 1%\nHMAC/check-HS512-8         2.287µ ± 1%\nHMAC/check-HS512-reuse-8   1.803µ ± 0%\nRSA/sign-1024-bit-8        292.8µ ± 1%\nRSA/sign-2048-bit-8        1.273m ± 0%\nRSA/sign-4096-bit-8        8.685m ± 1%\nRSA/check-1024-bit-8       49.51µ ± 3%\nRSA/check-2048-bit-8       168.6µ ± 0%\nRSA/check-4096-bit-8       662.6µ ± 0%\n```\n\nEdDSA [Ed25519] produces small signatures and it performs well.\n\n\n## Standard Compliance\n\n* RFC 2617: “HTTP Authentication”\n* RFC 6750: “The OAuth 2.0 Authorization Framework: Bearer Token Usage”\n* RFC 7468: “Textual Encodings of PKIX, PKCS, and CMS Structures”\n* RFC 7515: “JSON Web Signature (JWS)”\n* RFC 7517: “JSON Web Key (JWK)”\n* RFC 7518: “JSON Web Algorithms (JWA)”\n* RFC 7519: “JSON Web Token (JWT)”\n* RFC 8037: “CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)”\n\n\n[![JWT.io](https://jwt.io/img/badge.svg)](https://jwt.io/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpascaldekloe%2Fjwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpascaldekloe%2Fjwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpascaldekloe%2Fjwt/lists"}