jwtutil

package
v1.46.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 15, 2026 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Overview

Package jwtutil offers shared helpers for signing and verifying JWTs with statically-configured multi-key sets — i.e. kid-based key rotation. It replaces the convenience that go-jose's JSONWebKeySet provided when picking the right key out of a set during verification, which golang-jwt/jwt/v5 leaves to the caller.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrEmptyKeySet    = errors.New("jwtutil: key set is empty")
	ErrDuplicateKeyID = errors.New("jwtutil: duplicate key ID")
	ErrUnknownKeyID   = errors.New("jwtutil: unknown signing key")
	ErrSigningMethod  = errors.New("jwtutil: unsupported signing method")
)

Functions

func HMACKeyID

func HMACKeyID(key []byte) string

HMACKeyID derives a stable, opaque identifier for an HMAC key as the first 8 bytes of its SHA-256, base64(RawStdEncoding)-encoded. Use when keys are configured as opaque secrets without explicit IDs.

Types

type HMACKey

type HMACKey struct {
	// ID is the value placed in (and matched against) the JWT's `kid` header.
	ID string
	// Key is the HMAC shared secret.
	Key []byte
}

HMACKey is one entry in an HMACKeySet.

type HMACKeySet

type HMACKeySet struct {
	// contains filtered or unexported fields
}

HMACKeySet is an ordered set of HMAC keys for signing and verifying JWTs with kid-based key rotation. The first key is the active signer; all keys in the set are accepted during verification, allowing graceful rotation without invalidating in-flight tokens.

func NewHMACKeySet

func NewHMACKeySet(method jwt.SigningMethod, keys ...HMACKey) (*HMACKeySet, error)

NewHMACKeySet builds an HMACKeySet for the given signing method. method must be one of jwt.SigningMethodHS256 / HS384 / HS512. The first key in keys is the active signer.

func NewHMACKeySetFromBytes

func NewHMACKeySetFromBytes(method jwt.SigningMethod, keys ...[]byte) (*HMACKeySet, error)

NewHMACKeySetFromBytes is a convenience that derives each key's ID via HMACKeyID. Use when keys are configured as opaque secrets and the caller doesn't manage key IDs explicitly.

func (*HMACKeySet) ParseWithClaims

func (ks *HMACKeySet) ParseWithClaims(token string, claims jwt.Claims, opts ...jwt.ParserOption) (*jwt.Token, error)

ParseWithClaims parses and verifies the token, selecting the signing key from the set by matching the token's `kid` header. The set's signing method is enforced via jwt.WithValidMethods. Additional parser options (WithIssuer, WithLeeway, WithExpirationRequired, …) may be passed.

func (*HMACKeySet) Sign

func (ks *HMACKeySet) Sign(claims jwt.Claims) (string, error)

Sign returns a compact-serialized JWT signed with the active (first) key. The active key's ID is set as the `kid` header.

func (*HMACKeySet) SigningMethod

func (ks *HMACKeySet) SigningMethod() jwt.SigningMethod

SigningMethod returns the signing method enforced by this key set.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL