.
) to form the complete JWT token.
JWT
) and the signing algorithm used, such as HS256
for HMAC SHA-256 or ES256
for ECDSA using P-256 and SHA-256.
The header provides information about how the JWT is encoded and secured.
HS256
algorithms as an example, but Chainstack uses the EdDSA
algorithms as it is more secure.iss
for issuer and exp
for expiration time, while public and private claims can be custom-defined by the developer.
Some of the most common JWT claims are:
iss
(Issuer) — identifies the provider or application that issued the JWT. The issuer claim is usually a string or a URI representing the entity that created the JWT, for example, chainstack
.sub
(Subject) — identifies who the JWT is for. This is used to keep track of which user the token is meant for by storing the unique identifier of the user.aud
(Audience) — identifies the recipients of the JWT. It essentially specifies the applications, services, or servers that are allowed to process the token.exp
(Expiration Time) — specifies the expiration date and time, in seconds since the Unix epoch, after which the JWT must not be accepted for processing. This claim is used to define the token’s validity period, after which it should be considered expired and rejected.nbf
(Not Before) — specifies the date and time, in seconds since the Unix epoch, before which the JWT must not be accepted for processing. This claim is used to define the earliest possible time when the token can be considered valid.iat
(Issued At) — specifies the date and time, in seconds since the Unix epoch, when the JWT was issued. This claim can be used to determine the token’s age and potentially reject tokens issued too far in the past..
) separator and then hashed with the secret key using the algorithm specified in the header.
Example of signature creation using HMAC SHA-256:
.
), like the following:
Authorization
header using the Bearer
schema, which looks like the following:
iss
, exp
, nbf
, sub
, and aud
, to confirm it’s a valid token issued for the user and intended for the server.generate-jwt.js
in your project’s directory and paste the following code:
HS256
algorithm. Finally, the generated token is printed to the console.
.env
file where you can store your secret key, then run this code and generate your own JWT.
Create the secret key variable in this format:
validate-jwt.js
. Once you’ve created the file, simply copy and paste the following code snippet:
async
function named verifyJwt
, which accepts four parameters: secret
, jwt
, issuer
, and audience
.
This function attempts to verify the provided JWT using the secret key, the issuer, and the audience parameters specified. If the verification process is successful, it returns the protected header and payload of the JWT. In case of any errors, an error message is logged.
To use this code, simply replace the jwt
constant with the JWT that you generated using the previous script and run it. If the token is valid, you’ll receive a response that looks something like this:
generate_jwt.py
and paste the following code:
HS256
signing algorithm.
The claims include subject, issuer, expiration time, not before time, issued at time, and audience. The dotenv library is used to load the secret key from a .env
file. The generated JWT token is printed as output.
To run it, create a .env
file where you can store your secret key, then run this code and generate your own JWT.
Create the secret key variable in this format:
validate_jwt.py
, and paste the following code:
SECRET_KEY
, ALGORITHM
, and EXPECTED_AUDIENCE
—which are used by the verify_token
function.
Then, the code defines a function named verify_token
that takes as input parameters a token string, a secret key, an algorithm, and an expected audience value. The function attempts to decode the token and returns the decoded claims data as a dictionary if the token is valid. If the token is invalid, an error message is printed, and None
is returned.
Replace the token
variable with the JWT you generated using the previous script, then run it; you will be able to validate the token. The response will look like the following:
.env
files.generate
, then create a new file named generate-jtw.go
and paste the following code:
loadEnvVars()
, getSecretKey()
, and createToken()
.
The loadEnvVars()
function loads environment variables from an external .env
file. The getSecretKey()
function retrieves the SECRET_KEY
value from environment variables or returns an error message if the value is not set.
The createToken()
function creates a JWT object with custom claims, which include the issuer, audience, timestamp, and user id. In this case, we are using the HS266
algorithm with SigningMethodHS256
. It then signs the JWT using the secret key value.
The main()
function calls these three functions in order to create a new JWT with custom claims and prints the token to the console.
.env
file in the same directory and set up your secret key using this format:
go build
command. This will create an executable file you can run:
generate.exe
on Windows.validate
in the root of your project, create a .env
file like the previous one, and create a new file named validate-jwt.go
; then paste the following code in it:
main
function loads environment variables, gets a secret key, validates a JWT token using the secret key, and prints the token’s claims if it’s valid.
The loadEnvVars()
function uses the godotenv
package to load environment variables from a .env
file. The getSecretKey()
function retrieves the secret key from the loaded environment variables.
The validateToken()
function takes a token string and a secret key as input. It uses the jwt-go package to parse and validate the token. It checks if the token signature is valid by verifying it with the provided secret key. If the token is valid, it returns the token’s claims.
Finally, the main
function calls the loadEnvVars()
and getSecretKey()
functions to get the secret key, then calls the validateToken()
function to validate a token string. If the token is valid, it prints the token’s claims.
To run this code, replace the tokenToValidate
variable with your JWT, then build and run the application.
Now you are ready to validate users using Golang as well.