Home

JSON::JWT

Install

gem install json-jwt

Require

require 'json/jwt'

JSON Web Token (JWT)

JSON::JWT is a subclass of ActiveSupport::HashWithIndifferentAccess, so you can initialize it in ActiveSupport::HashWithIndifferentAccess way, and access any claims via JSON::JWT#[] like a Hash instance.

jwt[:iss] # => 'nov'

To access JWT header, simply call JSON::JWT#header.

jwt.header # => {typ: :JWT, alg: :none}

Several common header attributes has its shortcut methods (both read & write).

jwt.kid = 'default-key'
jwt.kid # => 'default-key'

jwt.alg = :RS256
jwt.alg # => :RS256

jwt.header # => {typ: :JWT, alg: :RS256, kid: 'default-key'}

JSON Web Signature (JWS)

Signing

In many cases, you will sign and/or encrypt JWTs. (alg=none won't be used in general) For signing, call JSON::JWT#sign(key, algorithm).

These values are supported as algorithm.

• HS256 (default)
• HS384
• HS512
• RS256
• RS384
• RS512
• ES256
• ES384
• ES512

For historical reasons, HS256 is the default, but I recommend you to use RS256 if possible. Using shared key isn't a good choice for assertion signing in general.

HMAC-SHA***

shared_key = 'shared-key'
jwt.sign(shared_key) # HS256 is the default
jwt.sign(shared_key, :HS384)
jwt.sign(shared_key, :HS512)

RSA-SHA***

private_key = OpenSSL::PKey::RSA.new(2048)
jwt.sign(private_key, :RS256)
jwt.sign(private_key, :RS384)
jwt.sign(private_key, :RS512)

ECDSA-SHA

private_key = OpenSSL::PKey::EC.new('prime256v1').generate_key
jwt.sign(private_key, :ES256)

private_key = OpenSSL::PKey::EC.new('secp384r1').generate_key
jwt.sign(private_key, :ES384)

private_key = OpenSSL::PKey::EC.new('secp521r1').generate_key
jwt.sign(private_key, :ES512)

Verifying

TODO

JSON Web Encryption (JWE)

JSON Web Key (JWK)

JSON Web Key Set (JWKS)