{"id":34119198,"url":"https://github.com/pcman312/vault-plugin-secrets-jwt","last_synced_at":"2026-06-09T07:31:28.219Z","repository":{"id":57620865,"uuid":"313398554","full_name":"pcman312/vault-plugin-secrets-jwt","owner":"pcman312","description":"JWT secrets engine for Vault. Originally built for a hackathon, but a reasonable starting point to make production ready.","archived":false,"fork":false,"pushed_at":"2021-10-27T01:07:36.000Z","size":49,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-17T06:23:51.335Z","etag":null,"topics":["jwt","vault","vault-plugins"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pcman312.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-11-16T18:56:05.000Z","updated_at":"2025-09-06T20:04:30.000Z","dependencies_parsed_at":"2022-08-27T06:12:29.668Z","dependency_job_id":null,"html_url":"https://github.com/pcman312/vault-plugin-secrets-jwt","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/pcman312/vault-plugin-secrets-jwt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pcman312%2Fvault-plugin-secrets-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pcman312%2Fvault-plugin-secrets-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pcman312%2Fvault-plugin-secrets-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pcman312%2Fvault-plugin-secrets-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pcman312","download_url":"https://codeload.github.com/pcman312/vault-plugin-secrets-jwt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pcman312%2Fvault-plugin-secrets-jwt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34096950,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-09T02:00:06.510Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","vault","vault-plugins"],"created_at":"2025-12-14T21:03:38.636Z","updated_at":"2026-06-09T07:31:28.215Z","avatar_url":"https://github.com/pcman312.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault-plugin-secrets-jwt\nA Vault secrets engine for generating and validating arbitrary JWTs.\n\n## Usage\n\n1. Register the plugin via [Vault's plugin system](https://www.vaultproject.io/docs/internals/plugins.html)\n2. Enable the engine:\n   ```shell script\n   $ vault secrets enable -path=jwt vault-plugin-secrets-jwt\n   Success! Enabled the vault-plugin-secrets-jwt secrets engine at: jwt/\n   ```\n3. Configure a role. You must specify two fields:\n   - `alg`: The signing algorithm to use. Allowed values: `RS256`, `RS384`, `RS512`, `HS256`, `HS384`,\n     `HS512`, `ES256`, `ES384`, `ES512`. This is case-insensitive.\n   - `exp`: The amount of time before a JWT expires. Unlike in an actual JWT, this is the duration that the JWT\n     should live. This can be either an integer indicating a number of seconds, or use a suffix notation such as `1h`\n   \n   If you do not specify the `key` field, a key will be generated automatically by Vault. If you do specify a key,\n   it must match the signing method specified in `alg`.\n   \n   You may specify any arbitrary key/value pairs you wish.\n   \n   ```shell script\n   $ vault write jwt/roles/myrole/config alg=RS512 exp=1h foo=bar bar=baz\n   Success! Data written to: jwt/roles/myrole/config\n   ```\n4. Generate a JWT\n   ```shell script\n   $ vault read jwt/roles/myrole/generate\n   Key      Value\n   ---      -----\n   token    eyJhbGciOiJSUzUxM \u003cshortened for brevity\u003e oN6s7FfP4NuFc-K1yg\n   ```\n5. Validate a JWT\n   ```shell script\n   $ vault write jwt/roles/myrole/validate token=\"${TOKEN}\"\n   Key       Value\n   ---       -----\n   claims    map[bar:baz exp:1605829718 foo:bar iat:1605826118 iss:vault/myrole jti:34e888e2-22f1-4f96-f22e-8ef1894aed42]\n   ```\n\n## Endpoints\n\n### `/roles/{name}/config`\nConfigures a JWT role. Generates an RSA key by default.\n\nAllows user to specify any key/value pairs to include in the JWT.\n\nWhen read, only the public key will be returned (or the key redacted if a symmetric key).\nThis is to protect the key from access by users who shouldn't be able to see it.\nKey-exporting is not supported. If you need the key outside of this engine, generate it and\nprovide it rather than having the engine generate one. \n\n### `/roles/{name}/generate`\nGenerates a JWT \u0026 returns it as a secret.\n\n### `/roles/{name}/validate`\nValidates a provided JWT against the role specified\n\n## Features/TODO list\n- ✅ Certain fields will need to be explicitly specified types:\n  - `exp` - Duration (creation + this value =\u003e JWT expiration)\n- ✅ Validation of key/value pairs against default types\n  - ✅ Not allowed:\n    - `jti` (JWT ID)\n    - `iat` (Issued At)\n  - ✅ Defaults:\n    - `iss` - `\"vault/{name}\"` where `{name}` is the name of the role?\n- ✅ Allow user to provide key\n- ✅ Generate keys when one isn't provided\n  - ✅ RSA\n  - ✅ HMAC\n  - ✅ ECDSA\n- ✅ Supported key types\n  - ✅ RSA   (RS256, RS384, RS512)\n  - ✅ HMAC  (HS256, HS384, HS512)\n  - ✅ ECDSA (ES256, ES384, ES512)\n- ❌ Logging?\n- ❌ Key lifecycle\n  - ❌ Replace an existing key\n  - ❌ Allow validation with an old key for a configurable amount of time?\n- ❌ Allow for time skewing\n  - This one is potentially problematic with the library I'm using here since it is configured\n    with a global TimeFunc variable.\n\n## Possible features\n- Allow generation-time claims? `nbf` comes to mind, but possibly allow other fields? This would\n  allow JWTs to be configurable during generation. We would probably need to have some protections\n  that the operator can specify on what fields can be specified \u0026 maybe what values in each\n  field can be used.\n- Allow users to invalidate specific JWTs based on the JWT ID field (`jti`)\n- An endpoint that returns the role name of the provided JWT\n- Templating within fields. Ex: `{.RoleName}` for the name of the role in Vault\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpcman312%2Fvault-plugin-secrets-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpcman312%2Fvault-plugin-secrets-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpcman312%2Fvault-plugin-secrets-jwt/lists"}