::nx::Object ::nx::Object ::ns_crypto::JWT ::ns_crypto::JWT alg_to_hmac_digest alg_to_verify_spec build_protected_header decode encode hmac_sign jwk_ec_curve_to_ns_curve jwk_supports_alg public_key_from_jwk resolve_signing_key_pem resolve_verification_key_pem select_jwk_from_jwks sign split_token verify verify_hmac verify_registered_claims verify_signature ::ns_crypto::JWT->::nx::Object

Class ::ns_crypto::JWT

::ns_crypto::JWT[i] create ...
Defined in

Class Relations

  • class: ::nx::Class[i]
  • superclass: ::nx::Object[i]

Methods (to be applied on instances)

  • decode (scripted, public)

     <instance of ns_crypto::JWT[i]> decode token

    Decode a JSON Web Token (JWT) without performing signature verification. The method splits the token into its three components, decodes the protected header and payload from base64url, and parses them as JSON. The signature part is returned as raw binary data.

    Parameters:
    token (required)
    JWT string in compact serialization format ("header.payload.signature").
    Returns:
    A Tcl dictionary with the following keys: header — parsed JWT header as Tcl dictionary payload — parsed JWT payload as Tcl dictionary signature — raw binary signature (empty for "alg=none")

    Testcases:
    No testcase defined.

  • encode (scripted, public)

     <instance of ns_crypto::JWT[i]> encode -alg alg  [ -key key ] \
    [ -jwk jwk ] [ -secret secret ] [ -kid kid ] [ -typ typ ] \
    [ -cty cty ] [ -extraheader extraheader ] [ -iss iss ] \
    [ -sub sub ] [ -aud aud ] [ -exp exp ] [ -nbf nbf ] [ -iat iat ] \
    [ -jti jti ] [ extrapayload ]

    Create a JSON Web Token (JWT) in compact serialization format. The method builds a protected header and payload, encodes both as base64url, and signs the resulting input using the specified algorithm. The payload is constructed from standard JWT claims provided as named parameters and optional additional claims in triple form.

    Switches:
    -alg (required)
    Signature algorithm (e.g., EdDSA, ES256, ES256K, ES384, ES512, RS256, RS384, RS512, or "none"). When "none" is specified, no signature is added.
    -key (optional)
    Private key in PEM format (string or file) used for signing.
    -jwk (optional)
    JWK representation of the private key. Support for signing from JWK is reserved for future use and is not implemented yet.
    -secret (optional)
    Shared secret used for HS256, HS384, and HS512.
    -kid (optional)
    Optional key identifier to be included in the JWT header.
    -typ (optional, defaults to "JWT")
    Optional type header (defaults to "JWT").
    -cty (optional)
    Optional content type header.
    -extraheader (optional)
    Additional header fields in triple form (name type value ...), merged into the protected header.
    -iss (optional)
    Issuer claim.
    -sub (optional)
    Subject claim.
    -aud (optional)
    Audience claim. May be a single value or a list of values. Multiple values are encoded as a JSON array.
    -exp (optional)
    Expiration time (numeric, seconds since epoch).
    -nbf (optional)
    Not-before time (numeric, seconds since epoch).
    -iat (optional)
    Issued-at time (numeric, seconds since epoch).
    -jti (optional)
    JWT ID claim.
    Parameters:
    extrapayload (optional)
    Additional payload fields in triple form (name type value ...), appended to the payload.
    Returns:
    A JWT string in compact form "header.payload.signature". When alg is "none", the signature part is empty.

    Testcases:
    No testcase defined.

  • verify (scripted, public)

     <instance of ns_crypto::JWT[i]> verify [ -alg alg ] [ -key key ] \
    [ -jwk jwk ] [ -jwks jwks ] [ -secret secret ] [ -kid kid ] \
    [ -requirekid ] [ -verifyclaims ] [ -aud aud ] [ -iss iss ] \
    [ -sub sub ] [ -clockskew clockskew ] [ -now now ] token

    Verify a JSON Web Token (JWT) and optionally validate claims. The method decodes the token, resolves a verification key, and verifies the signature according to the algorithm specified in the JWT header. Optionally, registered claims can be validated.

    Switches:
    -alg (optional)
    Expected signature algorithm. When specified, the value must match the "alg" field in the JWT header.
    -key (optional)
    Public key in PEM format (string or file) used for verification.
    -jwk (optional)
    JWK representation of the public key used for verification
    -jwks (optional)
    JWK set (list or dictionary of JWKs). When specified, the key is selected based on the "kid" value.
    -secret (optional)
    Shared secret used for HS256, HS384, and HS512.
    -kid (optional)
    Expected key identifier. When specified, it must match the "kid" value in the JWT header.
    -requirekid (optional)
    When true, require that the JWT header contains a "kid" field.
    -verifyclaims (optional)
    When true, validate registered claims such as expiration, not-before, issuer, subject, and audience.
    -aud (optional)
    Expected audience claim.
    -iss (optional)
    Expected issuer claim.
    -sub (optional)
    Expected subject claim.
    -clockskew (optional, defaults to "0")
    Allowed clock skew in seconds when validating time-based claims.
    -now (optional)
    Reference time (seconds since epoch) used for claim validation. When not specified, the current time is used.
    Parameters:
    token (required)
    JWT string in compact serialization format ("header.payload.signature").
    Returns:
    A Tcl dictionary containing: valid — boolean indicating successful verification header — parsed JWT header as Tcl dictionary payload — parsed JWT payload as Tcl dictionary kid — resolved key identifier (may be empty) alg — algorithm used for verification

    Testcases:
    No testcase defined.