token

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 5, 2026 License: Apache-2.0 Imports: 4 Imported by: 10

Documentation

Overview

Package token provides support for parsing JSON Web Keys (JWK), creating signed JSON Web Tokens (JWT), and verifying JWT signatures.

Index

Constants

This section is empty.

Variables

View Source 
var ErrDuplicateKeyID = errors.New("Duplicate KeyID found")

ErrDuplicateKeyID is returned when initializing a verifier with multiple keys with the same KeyID. KeyIDs should be unique.

View Source 
var ErrKeyIDNotFound = errors.New("Key ID not found for given token header")

ErrKeyIDNotFound is returned when trying to verify a token when there are no corresponding key IDs matching the token header.

Functions

func LoadJSONWebKey 

func LoadJSONWebKey(json []byte, isPublic bool) (*jose.JSONWebKey, error)

LoadJSONWebKey loads and validates the given JWK.

Types

type Signer 

type Signer struct {
	// contains filtered or unexported fields
}

Signer is a JWT signer. Requires a private JWK.

func NewSigner 

func NewSigner(key []byte) (*Signer, error)

NewSigner accepts a serialized, private JWK and creates a new Signer instance.

func (*Signer) JWKS added in v0.0.13 

func (s *Signer) JWKS() jose.JSONWebKeySet

JWKS returns a JSON Web Key Set containing the public key for this signer

func (*Signer) Sign 

func (s *Signer) Sign(cl jwt.Claims, extra ...any) (string, error)

Sign signs the given claims and returns the serialized token. Optional extra claim objects are merged into the JWT payload via go-jose's Builder.Claims(). If a field in extra serializes to a JSON key that is also set by cl, the standard claim wins: extras are applied first and cl last, so go-jose's later-wins merge semantics make cl authoritative.

type Verifier 

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier is a JWT verifier. Requires a public JWK.

func NewVerifier 

func NewVerifier(keys ...[]byte) (*Verifier, error)

NewVerifier accepts serialized, public JWKs and creates a new Verifier instance. Caller may pass multiple verifier keys to recognize and support key rotation of signer keys, or multiple issuers. When providing multiple keys each must have a distinct "keyid". An error derived from ErrDuplicateKeyID is returned when keys have the same keyid.

func (*Verifier) Claims 

func (k *Verifier) Claims(token string) (*jwt.Claims, error)

Claims extracts the standard JWT claims from a signed token. It fails on signature mismatch (or missing/unknown key ID); otherwise it returns the claims as-is. The claim values are not validated against any jwt.Expected, that's the caller's responsibility.

func (*Verifier) Verify 

func (k *Verifier) Verify(token string, exp jwt.Expected, extraDest ...any) (*jwt.Claims, error)

Verify authenticates the token signature and policy-checks the standard jwt.Claims against exp (iss, aud, exp, nbf, sub). Extra destination pointers are unmarshaled from the same JWT payload via go-jose's variadic Claims support. For example: 

var custom MyCustomClaims
cl, err := v.Verify(token, expected, &custom)

Fields in extraDest are JSON-unmarshaled only; no value-level check is performed on them, that's the caller's responsibility.

If parsing succeeds but expected-claims validation fails, Verify returns the parsed claims along with the non-nil validation error.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.