Expand description

Minimal JSON Web Token

A minimal JSON Web Token library.

JSON Web Tokens are a method for representing claims between two parties.

They are used in authentication flows with a third party provider (e.g. Sign in with…) amongst other scenarios.

This crate provides functionality to sign and verify the signatures of JWTs.


Cryptography Features/Dependencies

This crate depends on other crates for all cryptographic operations. Find a supported crypto crate below which supports the algorithms required.

Dependent Crate(s)Algorithm(s) SupportedFeature(s)
ringES256, HS256, RS256ring
rsa, sha2RS256rsa, sha2

For instance, if you need ES256 support, you may choose to use the p256 crate and/or the ring crate. Suppose you chose the p256 crate. In your crate, depend on this crate and the relevant dependent crate in your Cargo.toml:

min_jwt = { version = "0.4.0", features = [ "p256", "serde", "serde_json"] }
p256 = { version = "0.10.0", features = [ "ecdsa", "jwk", "pem"] }

Be sure to enable the relevant features as well.

When choosing a cryptography implementation, you may want to consider compatibility with your environment, the ability to import the signing and verifying keys in the given formats, and the security properties of the code (e.g. an audited implementation, resistence to timing attacks, etc.).


The encode_and_sign and verify functions are the primary functions for this crate.

To use the functions, construct the cryptography crate’s key. The cryptography crate may provide methods to import a key in PKCS8 PEM, PKCS8 DER, JSON Web Key (JWK), and other formats.

Then, use the key as either a sign::Signer or verify::Verifier parameter. The key may need to be wrapped in a provided type. See the sign or verify modules for more documentation and examples.


Sign using ES256 with p256 crate

let header = "{\"alg\":\"ES256\",\"typ\":\"JWT\"}";
let claims = "{\"sub\":\"1234567890\",\"name\":\"Jane Doe\",\"iat\":1516239022}";
let jwk = r#"
    "kty": "EC",
    "crv": "P-256",
    "x": "erEk-zqoG1oYBLD3ohuz0tzIlU7XzFG1098HcCOu0Ck",
    "y": "lQLKfGS2F6mA97bOvo9AlfyNsn88Mf6Iwa5vmf6UkJw",
    "d": "8UmkmK0KO64KCDRZb4RCAHRZ0AfRWBn3Pv6hTv1VR9k"

let secret_key = ::p256::SecretKey::from_jwk_str(jwk).unwrap();
let signing_key = ::p256::ecdsa::SigningKey::from(secret_key);

let jwt = min_jwt::encode_and_sign(header, claims, &signing_key)?;

Verify using RS256 with rsa and sha2 crates

use ::rsa::pkcs8::DecodePublicKey;

let public_key =
-----END PUBLIC KEY-----";

let public_key = ::rsa::RsaPublicKey::from_public_key_pem(public_key).unwrap();

let verifier = min_jwt::verify::rsa::PublicKeyVerifier::with_rs256(public_key);
let result = min_jwt::verify(jwt, &verifier)?;

let header = result.decode_header();
let claims = result.decode_claims();


Licensed under either of Apache License, Version 2.0 or MIT License at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


pub use error::Error;


Algorithms used to sign the JWT.

Error type.

Sign JWTs using various signature algorithms.

Helpers for time.

Verify various types of signatures for a JWT.


Contains the issuer ID, when the token was issued, and when the token expires.

Contains the algorithm and the key ID used to sign the JWT.

Represents a JSON Web Token which has had its signature verified.

Represents an unverified JSON Web Token.


A marker trait for a JWT’s claims.

A marker trait for a JWT’s header.


Base64 encodes byte representations of the header and claims, constructs the signing input, signs the data, and then returns the JWT.

serialize_encode_and_signserde and serde_json

Serializes the types to JSON, base64 encodes the JSON, constructs the signing input, signs the data, and then returns the JWT.

Attempts to verify a JWT’s signature.