Why Go
- Case Studies
  
  Common problems companies solve with Go
- Use Cases
  
  Stories about how and why companies use Go
- Security
  
  How Go can help keep you secure by default
Learn
Docs
- Effective Go
  
  Tips for writing clear, performant, and idiomatic Go code
- Go User Manual
  
  A complete introduction to building software with Go
- Standard library
  
  Reference documentation for Go's standard library
- Release Notes
  
  Learn what's new in each Go release
Packages
Community
- Recorded Talks
  
  Videos from prior events
- Meetups
  
  Meet other local Go developers
- Conferences
  
  Learn and network with Go developers from around the world
- Go blog
  
  The Go project's official blog.
- Go project
  
  Get help and stay informed from Go
- Get connected

jwt

package

Go to main page

Versions in this module

v0

v0.7.0

May 10, 2026

Changes in this version

+ const AudienceAPI

+ const AudienceBFF

+ const PrincipalTypeAgent

+ const PrincipalTypeApplication

+ const PrincipalTypeHuman

+ const PrincipalTypeService

+ var ErrAudienceMismatch = errors.New("audience mismatch")

+ var ErrInvalidAlgorithm = errors.New("invalid signing algorithm")

+ var ErrInvalidToken = errors.New("invalid token")

+ var ErrMissingPublicKey = errors.New("public key required when using asymmetric signing")

+ var ErrNoSigningKey = errors.New("no signing key configured: provide Secret or PrivateKey")

+ var ErrScopesRequired = errors.New("at least one scope is required for API tokens")

+ var ErrTokenExpired = errors.New("token expired")

+ var ErrWrongTokenType = errors.New("wrong token type")

+ func ComputeTokenHash(token string) string

+ type CNFClaim struct

+ JKT string

+ type Claims struct

+ ClientID string

+ Confirmation *CNFClaim

+ Email string

+ IsPlatformAdmin bool

+ Name string

+ OrganizationID *uuid.UUID

+ OrganizationSlug string

+ Permissions []string

+ PrincipalID uuid.UUID

+ PrincipalType string

+ Role string

+ Scopes []string

+ TokenFamily string

+ TokenType TokenType

+ func NewAccessClaims(cfg *Config, principalID uuid.UUID, email, name string) *Claims

+ func NewRefreshClaims(cfg *Config, principalID uuid.UUID, family string) *Claims

+ func (c *Claims) Audience() string

+ func (c *Claims) DPoPThumbprint() string

+ func (c *Claims) HasAudience(aud string) bool

+ func (c *Claims) IsAccessToken() bool

+ func (c *Claims) IsDPoPBound() bool

+ func (c *Claims) IsExpired() bool

+ func (c *Claims) IsRefreshToken() bool

+ func (c *Claims) WithAudience(audiences ...string) *Claims

+ func (c *Claims) WithClientID(clientID string) *Claims

+ func (c *Claims) WithDPoPBinding(thumbprint string) *Claims

+ func (c *Claims) WithOrganization(orgID uuid.UUID, slug, role string, permissions []string) *Claims

+ func (c *Claims) WithPlatformAdmin(isPlatformAdmin bool) *Claims

+ func (c *Claims) WithPrincipalType(principalType string) *Claims

+ func (c *Claims) WithScopes(scopes []string) *Claims

+ type Config struct

+ AccessTokenExpiry time.Duration

+ Algorithm string

+ Audience []string

+ Issuer string

+ PrivateKey any

+ PublicKey any

+ RefreshTokenExpiry time.Duration

+ RefreshTokenRotation bool

+ Secret []byte

+ func DefaultConfig() *Config

+ func (c *Config) Validate() error

+ type DPoPBinding struct

+ Thumbprint string

+ type Service struct

+ func NewService(cfg *Config) (*Service, error)

+ func (s *Service) AccessTokenTTL() time.Duration

+ func (s *Service) Config() *Config

+ func (s *Service) GenerateAPIToken(principalID uuid.UUID, email, name string, scopes []string, ...) (string, error)

+ func (s *Service) GenerateAccessToken(principalID uuid.UUID, email, name string) (string, error)

+ func (s *Service) GenerateAccessTokenWithAudience(principalID uuid.UUID, email, name string, audience string, scopes []string) (string, error)

+ func (s *Service) GenerateAccessTokenWithOptions(principalID uuid.UUID, email, name string, opts TokenOptions) (string, error)

+ func (s *Service) GenerateAccessTokenWithOrg(principalID uuid.UUID, email, name string, orgID uuid.UUID, ...) (string, error)

+ func (s *Service) GenerateAccessTokenWithOrgAndOptions(principalID uuid.UUID, email, name string, orgID uuid.UUID, ...) (string, error)

+ func (s *Service) GenerateBFFTokenPair(principalID uuid.UUID, email, name string) (*TokenPair, error)

+ func (s *Service) GenerateRefreshToken(principalID uuid.UUID, family string) (string, error)

+ func (s *Service) GenerateTokenPair(principalID uuid.UUID, email, name string) (*TokenPair, error)

+ func (s *Service) GenerateTokenPairLegacy(principalID uuid.UUID, email string, isPlatformAdmin bool) (*TokenPair, error)

+ func (s *Service) GenerateTokenPairWithAudience(principalID uuid.UUID, email, name string, audience string, scopes []string) (*TokenPair, error)

+ func (s *Service) GenerateTokenPairWithOptions(principalID uuid.UUID, email, name string, opts TokenOptions) (*TokenPair, error)

+ func (s *Service) GenerateTokenPairWithOrg(principalID uuid.UUID, email, name string, orgID uuid.UUID, ...) (*TokenPair, error)

+ func (s *Service) RefreshTokenTTL() time.Duration

+ func (s *Service) ValidateAccessToken(tokenString string) (*Claims, error)

+ func (s *Service) ValidateAccessTokenWithAudience(tokenString string, expectedAudience string) (*Claims, error)

+ func (s *Service) ValidateRefreshToken(tokenString string) (*Claims, error)

+ type TokenOptions struct

+ DPoPThumbprint string

+ type TokenPair struct

+ AccessToken string

+ ExpiresIn int64

+ RefreshToken string

+ type TokenType string

+ const AccessToken

+ const RefreshToken