Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
The SignJWT class is used to build and sign Compact JWS formatted JSON Web Tokens.
This class is exported (as a named export) from the main 'jose'
module entry point as well as
from its subpath export 'jose/jwt/sign'
.
Usage with a symmetric secret
const secret = new TextEncoder().encode(
'cc7e0d44fd473002f1c42167459001140ec6389b7353f8088f4d9a95f2f596f2',
)
const alg = 'HS256'
const jwt = await new jose.SignJWT({ 'urn:example:claim': true })
.setProtectedHeader({ alg })
.setIssuedAt()
.setIssuer('urn:example:issuer')
.setAudience('urn:example:audience')
.setExpirationTime('2h')
.sign(secret)
console.log(jwt)
Usage with a private PKCS#8 encoded RSA key
const alg = 'RS256'
const pkcs8 = `-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCFg4UrY5xtulv
/NXKmL1J4qI1SopAfTNMo3X7p+kJO7plqUYjzaztcre1qfh0m33Sm1Q8oPbO/GpP
MU1/HgcceytgJ/b4UwufVVMl9BrMDYG8moDBylbVupFQS3Ly1L9i/iFG9Z9A9xzY
Zzf799A45bnvNXL6s2glzvjiRvfQ2NDF0anTcnZLcYtC7ugq1IMM+ihAcPfw8Qw2
chN/SmP4qAM+PKaQwagmU7doqmmyN9u38AfoYZ1GCFhEs5TBBT6H6h9YdHeVtiIq
1c+fl03biSIfLrV7dUBD39gBmXBcL/30Ya3D82mCEUC4zg/UkOfQOmkmV3Lc8YUL
QZ8EJkBLAgMBAAECggEAVuVE/KEP6323WjpbBdAIv7HGahGrgGANvbxZsIhm34ls
VOPK0XDegZkhAybMZHjRhp+gwVxX5ChC+J3cUpOBH5FNxElgW6HizD2Jcq6t6LoL
YgPSrfEHm71iHg8JsgrqfUnGYFzMJmv88C6WdCtpgG/qJV1K00/Ly1G1QKoBffEs
+v4fAMJrCbUdCz1qWto+PU+HLMEo+krfEpGgcmtZeRlDADh8cETMQlgQfQX2VWq/
aAP4a1SXmo+j0cvRU4W5Fj0RVwNesIpetX2ZFz4p/JmB5sWFEj/fC7h5z2lq+6Bm
e2T3BHtXkIxoBW0/pYVnASC8P2puO5FnVxDmWuHDYQKBgQDTuuBd3+0tSFVEX+DU
5qpFmHm5nyGItZRJTS+71yg5pBxq1KqNCUjAtbxR0q//fwauakh+BwRVCPOrqsUG
jBSb3NYE70Srp6elqxgkE54PwQx4Mr6exJPnseM9U4K+hULllf5yjM9edreJE1nV
NVgFjeyafQhrHKwgr7PERJ/ikwKBgQDqqsT1M+EJLmI1HtCspOG6cu7q3gf/wKRh
E8tu84i3YyBnI8uJkKy92RNVI5fvpBARe3tjSdM25rr2rcrcmF/5g6Q9ImxZPGCt
86eOgO9ErNtbc4TEgybsP319UE4O41aKeNiBTAZKoYCxv/dMqG0j4avmWzd+foHq
gSNUvR2maQKBgQCYeqOsV2B6VPY7KIVFLd0AA9/dwvEmgAYLiA/RShDI+hwQ/5jX
uxDu37KAhqeC65sHLrmIMUt4Zdr+DRyZK3aIDNEAesPMjw/X6lCXYp1ZISD2yyym
MFGH8X8CIkstI9Faf9vf6PJKSFrC1/HA7wq17VCwrUzLvrljTMW8meM/CwKBgCpo
2leGHLFQFKeM/iF1WuYbR1pi7gcmhY6VyTowARFDdOOu8GXYI5/bz0afvCGvAMho
DJCREv7lC/zww6zCTPYG+HOj+PjXlJFba3ixjIxYwPvyEJiDK1Ge18sB7Fl8dHNq
C5ayaqCqN1voWYUdGzxU2IA1E/5kVo5O8FesJeOhAoGBAImJbZFf+D5kA32Xxhac
59lLWBCsocvvbd1cvDMNlRywAAyhsCb1SuX4nEAK9mrSBdfmoF2Nm3eilfsOds0f
K5mX069IKG82CMqh3Mzptd7e7lyb9lsoGO0BAtjho3cWtha/UZ70vfaMzGuZ6JmQ
ak6k+8+UFd93M4z0Qo74OhXB
-----END PRIVATE KEY-----`
const privateKey = await jose.importPKCS8(pkcs8, alg)
const jwt = await new jose.SignJWT({ 'urn:example:claim': true })
.setProtectedHeader({ alg })
.setIssuedAt()
.setIssuer('urn:example:issuer')
.setAudience('urn:example:audience')
.setExpirationTime('2h')
.sign(privateKey)
console.log(jwt)
Usage with a private JWK encoded RSA key
const alg = 'RS256'
const jwk = {
kty: 'RSA',
n: 'whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4HHHsrYCf2-FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS_Yv4hRvWfQPcc2Gc3-_fQOOW57zVy-rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj-KgDPjymkMGoJlO3aKppsjfbt_AH6GGdRghYRLOUwQU-h-ofWHR3lbYiKtXPn5dN24kiHy61e3VAQ9_YAZlwXC_99GGtw_NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZASw',
e: 'AQAB',
d: 'VuVE_KEP6323WjpbBdAIv7HGahGrgGANvbxZsIhm34lsVOPK0XDegZkhAybMZHjRhp-gwVxX5ChC-J3cUpOBH5FNxElgW6HizD2Jcq6t6LoLYgPSrfEHm71iHg8JsgrqfUnGYFzMJmv88C6WdCtpgG_qJV1K00_Ly1G1QKoBffEs-v4fAMJrCbUdCz1qWto-PU-HLMEo-krfEpGgcmtZeRlDADh8cETMQlgQfQX2VWq_aAP4a1SXmo-j0cvRU4W5Fj0RVwNesIpetX2ZFz4p_JmB5sWFEj_fC7h5z2lq-6Bme2T3BHtXkIxoBW0_pYVnASC8P2puO5FnVxDmWuHDYQ',
p: '07rgXd_tLUhVRF_g1OaqRZh5uZ8hiLWUSU0vu9coOaQcatSqjQlIwLW8UdKv_38GrmpIfgcEVQjzq6rFBowUm9zWBO9Eq6enpasYJBOeD8EMeDK-nsST57HjPVOCvoVC5ZX-cozPXna3iRNZ1TVYBY3smn0IaxysIK-zxESf4pM',
q: '6qrE9TPhCS5iNR7QrKThunLu6t4H_8CkYRPLbvOIt2MgZyPLiZCsvdkTVSOX76QQEXt7Y0nTNua69q3K3Jhf-YOkPSJsWTxgrfOnjoDvRKzbW3OExIMm7D99fVBODuNWinjYgUwGSqGAsb_3TKhtI-Gr5ls3fn6B6oEjVL0dpmk',
dp: 'mHqjrFdgelT2OyiFRS3dAAPf3cLxJoAGC4gP0UoQyPocEP-Y17sQ7t-ygIanguubBy65iDFLeGXa_g0cmSt2iAzRAHrDzI8P1-pQl2KdWSEg9ssspjBRh_F_AiJLLSPRWn_b3-jySkhawtfxwO8Kte1QsK1My765Y0zFvJnjPws',
dq: 'KmjaV4YcsVAUp4z-IXVa5htHWmLuByaFjpXJOjABEUN0467wZdgjn9vPRp-8Ia8AyGgMkJES_uUL_PDDrMJM9gb4c6P4-NeUkVtreLGMjFjA-_IQmIMrUZ7XywHsWXx0c2oLlrJqoKo3W-hZhR0bPFTYgDUT_mRWjk7wV6wl46E',
qi: 'iYltkV_4PmQDfZfGFpzn2UtYEKyhy-9t3Vy8Mw2VHLAADKGwJvVK5ficQAr2atIF1-agXY2bd6KV-w52zR8rmZfTr0gobzYIyqHczOm13t7uXJv2WygY7QEC2OGjdxa2Fr9RnvS99ozMa5nomZBqTqT7z5QV33czjPRCjvg6FcE',
}
const privateKey = await jose.importJWK(jwk, alg)
const jwt = await new jose.SignJWT({ 'urn:example:claim': true })
.setProtectedHeader({ alg })
.setIssuedAt()
.setIssuer('urn:example:issuer')
.setAudience('urn:example:audience')
.setExpirationTime('2h')
.sign(privateKey)
console.log(jwt)
▸ new SignJWT(payload
): SignJWT
Parameter | Type | Description |
---|---|---|
payload |
JWTPayload |
The JWT Claims Set object. Defaults to an empty object. |
▸ setAudience(audience
): this
Set the "aud" (Audience) Claim.
Parameter | Type | Description |
---|---|---|
audience |
string | string [] |
"aud" (Audience) Claim value to set on the JWT Claims Set. |
this
▸ setExpirationTime(input
): this
Set the "exp" (Expiration Time) Claim.
- If a
number
is passed as an argument it is used as the claim directly. - If a
Date
instance is passed as an argument it is converted to unix timestamp and used as the claim. - If a
string
is passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim.
Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day".
Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year.
If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp.
Parameter | Type | Description |
---|---|---|
input |
string | number | Date |
"exp" (Expiration Time) Claim value to set on the JWT Claims Set. |
this
▸ setIssuedAt(input
?): this
Set the "iat" (Issued At) Claim.
- If no argument is used the current unix timestamp is used as the claim.
- If a
number
is passed as an argument it is used as the claim directly. - If a
Date
instance is passed as an argument it is converted to unix timestamp and used as the claim. - If a
string
is passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim.
Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day".
Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year.
If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp.
Parameter | Type | Description |
---|---|---|
input ? |
string | number | Date |
"iat" (Expiration Time) Claim value to set on the JWT Claims Set. |
this
▸ setIssuer(issuer
): this
Set the "iss" (Issuer) Claim.
Parameter | Type | Description |
---|---|---|
issuer |
string |
"Issuer" Claim value to set on the JWT Claims Set. |
this
▸ setJti(jwtId
): this
Set the "jti" (JWT ID) Claim.
Parameter | Type | Description |
---|---|---|
jwtId |
string |
"jti" (JWT ID) Claim value to set on the JWT Claims Set. |
this
▸ setNotBefore(input
): this
Set the "nbf" (Not Before) Claim.
- If a
number
is passed as an argument it is used as the claim directly. - If a
Date
instance is passed as an argument it is converted to unix timestamp and used as the claim. - If a
string
is passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim.
Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day".
Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year.
If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp.
Parameter | Type | Description |
---|---|---|
input |
string | number | Date |
"nbf" (Not Before) Claim value to set on the JWT Claims Set. |
this
▸ setProtectedHeader(protectedHeader
): this
Sets the JWS Protected Header on the SignJWT object.
Parameter | Type | Description |
---|---|---|
protectedHeader |
JWTHeaderParameters |
JWS Protected Header. Must contain an "alg" (JWS Algorithm) property. |
this
▸ setSubject(subject
): this
Set the "sub" (Subject) Claim.
Parameter | Type | Description |
---|---|---|
subject |
string |
"sub" (Subject) Claim value to set on the JWT Claims Set. |
this
▸ sign(key
, options
?): Promise
<string
>
Signs and returns the JWT.
Parameter | Type | Description |
---|---|---|
key |
Uint8Array | KeyLike | JWK |
Private Key or Secret to sign the JWT with. See Algorithm Key Requirements. |
options ? |
SignOptions |
JWT Sign options. |
Promise
<string
>