Documentation
¶
Overview ¶
Package jwt issues self-signed JSON Web Tokens. It parses a private signing key from a JSON Web Key (JWK) once and mints compact-serialized tokens on demand, stamping the key's id into the token header so verifiers can locate the matching public key.
The signing algorithm is derived from the key type, never chosen by the caller or read from the JWK's "alg" field, so it can never disagree with the key. Only key types that map to a single unambiguous algorithm are supported:
ed25519.PrivateKey -> EdDSA *ecdsa.PrivateKey -> ES256 / ES384 / ES512 (by curve: P-256 / P-384 / P-521)
RSA is intentionally unsupported: an RSA key does not determine a single algorithm (RS256/384/512, PS256/384/512), so signing one would require the library to pick on the caller's behalf.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type SigningKey ¶
type SigningKey struct {
// contains filtered or unexported fields
}
SigningKey is a private signing key, parsed from a JWK, that mints signed JWTs using the algorithm determined by the key type.
func ParseJWK ¶
func ParseJWK(jwk string) (*SigningKey, error)
ParseJWK parses jwk, a single JSON Web Key, and returns its private signing key. The key must be of a type that maps to a single signing algorithm: an Ed25519 private key (kty "OKP", crv "Ed25519") or an ECDSA private key (kty "EC", crv "P-256", "P-384", or "P-521"), both carrying the private "d" component. RSA keys are rejected because their algorithm is ambiguous.
func (*SigningKey) Issue ¶
Issue mints a compact-serialized JWT signed with the key, using the algorithm determined by the key type. The signing key's id is set in the "kid" header field. The token carries all seven registered claims (RFC 7519): iss, sub, and aud as given, iat at the current time, nbf backdated by a small clock-skew leeway, exp ttl after issuance, and a random jti.
Source Files