jjwt/README.md

[![Build Status](https://travis-ci.org/jwtk/jjwt.svg?branch=master)](https://travis-ci.org/jwtk/jjwt)

# Java JWT: JSON Web Token for Java

JJWT aims to be the easiest to use and understand library for creating and verifying JSON Web Tokens (JWTs) on the JVM.

JJWT is a 'clean room' implementation based solely on the [JWT](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25), [JWS](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31), [JWE](https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-31) and [JWA](https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-31) RFC draft specifications.

## Installation

Use your favorite Maven-compatible build tool to pull the dependency (and its transitive dependencies) from Maven Central:

```xml
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.1</version>
</dependency>
```

Note: JJWT depends on Jackson 2.x.  If you're already using an older version of Jackson in your app, [read this](#olderJackson)

## Usage

Most complexity is hidden behind convenient and readable Builder chaining calls.  Here's an example:

```java
import io.jsonwebtoken.Jwts;
import static io.jsonwebtoken.SignatureAlgorithm.*;

//Let's create a random signing key for testing:
Random random = new SecureRandom();
byte[] key = new byte[64];
random.nextBytes(key);

String compactJwt = Jwts.builder().setIssuer("Me").setSubject("Joe").signWith(HS256, key).compact();
```

How easy was that!?

Now let's verify the JWT (you should always discard JWTs that don't match an expected signature):

```java
Jwt jwt = Jwts.parser().setSigningKey(key).parse(compactJwt);

assert ((Claims)jwt.getBody()).getSubject().equals("Joe");
```

You have to love one-line code snippets in Java!

But what if signature validation failed?  You can catch `SignatureException` and react accordingly:

```java
try {

    Jwts.parser().setSigningKey(key).parse(compactJwt);

    //OK, we can trust this JWT

} catch (SignatureException e) {

    //don't trust the JWT!
}
```

## Supported Features

* Creating and parsing plaintext compact JWTs

* Creating, parsing and verifying digitally signed compact JWTs (aka JWSs) with the following algorithms:
    * HS256: HMAC using SHA-384
    * HS384: HMAC using SHA-384
    * HS512: HMAC using SHA-512
    * RS256: RSASSA-PKCS-v1_5 using SHA-256
    * RS384: RSASSA-PKCS-v1_5 using SHA-384
    * RS512: RSASSA-PKCS-v1_5 using SHA-512
    * PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
    * PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
    * PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512

## Currently Unsupported Features

* [Non-compact](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-7.2) serialization and parsing.
* Elliptic Curve signature algorithms `ES256`, `ES384` and `ES512`.
* JWE (Encryption for JWT)

These feature sets will be implemented in a future release when possible.  Community contributions are welcome!

## Release Notes

### 0.2

#### More convenient Claims building

This release adds convenience methods to the `JwtBuilder` interface so you can set claims directly on the builder without having to create a separate Claims instance/builder, reducing the amount of code you have to write.  For example, this:

```java
Claims claims = Jwts.claims().setIssuer("Me").setSubject("Joe");

String compactJwt = Jwts.builder().setClaims(claims).signWith(HS256, key).compact();
```

can now be written as:

```java
String compactJwt = Jwts.builder().setIssuer("Me").setSubject("Joe").signWith(HS256, key).compact();
```

A Claims instance based on the specified claims will be created and set as the JWT's payload automatically.

<a name="olderJackson"></a>
#### Already using an older Jackson dependency?

JJWT depends on Jackson 2.4.x (or later).  If you are already using a Jackson version in your own application less than 2.x, for example 1.9.x, you will likely see [runtime errors](https://github.com/jwtk/jjwt/issues/1).  To avoid this, you should change your project build configuration to explicitly point to a 2.x version of Jackson.  For example:

```xml
<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.4.2</version>
</dependency>
```
Added Travis build status image to readme 2014-09-19 15:00:25 -04:00			`[![Build Status](https://travis-ci.org/jwtk/jjwt.svg?branch=master)](https://travis-ci.org/jwtk/jjwt)`
Initial commit 2014-09-12 21:06:24 -04:00
Update README.md 2014-09-23 17:13:50 -04:00			`# Java JWT: JSON Web Token for Java`
Initial commit! 2014-09-18 22:14:22 -04:00
Update README.md 2014-09-25 16:52:02 -04:00			`JJWT aims to be the easiest to use and understand library for creating and verifying JSON Web Tokens (JWTs) on the JVM.`
updated readme to reflect upcoming release 2014-09-19 23:22:49 -04:00
Update README.md 2014-09-25 16:51:08 -04:00			`JJWT is a 'clean room' implementation based solely on the [JWT](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25), [JWS](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31), [JWE](https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-31) and [JWA](https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-31) RFC draft specifications.`
Update README.md 2014-09-25 16:49:59 -04:00
updated readme to reflect upcoming release 2014-09-19 23:22:49 -04:00			`## Installation`

			`Use your favorite Maven-compatible build tool to pull the dependency (and its transitive dependencies) from Maven Central:`

			```xml
			`<dependency>`
			`<groupId>io.jsonwebtoken</groupId>`
			`<artifactId>jjwt</artifactId>`
			`<version>0.1</version>`
			`</dependency>`
			```

Update README.md Added notes for projects that might have existing dependencies on an older Jackson version. 2014-09-26 16:32:19 -04:00			`Note: JJWT depends on Jackson 2.x. If you're already using an older version of Jackson in your app, [read this](#olderJackson)`

updated readme to reflect upcoming release 2014-09-19 23:22:49 -04:00			`## Usage`

			`Most complexity is hidden behind convenient and readable Builder chaining calls. Here's an example:`
Initial commit! 2014-09-18 22:14:22 -04:00
code block formatting change 2014-09-19 17:47:01 -04:00			```java
updated readme to reflect upcoming release 2014-09-19 23:23:29 -04:00			`import io.jsonwebtoken.Jwts;`
updated readme to reflect upcoming release 2014-09-19 23:22:49 -04:00			`import static io.jsonwebtoken.SignatureAlgorithm.*;`

code block formatting change 2014-09-19 17:47:01 -04:00			`//Let's create a random signing key for testing:`
			`Random random = new SecureRandom();`
			`byte[] key = new byte[64];`
			`random.nextBytes(key);`
Initial commit! 2014-09-18 22:14:22 -04:00
updated Readme release notes 2014-09-26 20:52:40 -04:00			`String compactJwt = Jwts.builder().setIssuer("Me").setSubject("Joe").signWith(HS256, key).compact();`
code block formatting change 2014-09-19 17:47:01 -04:00			```
Initial commit! 2014-09-18 22:14:22 -04:00
			`How easy was that!?`

			`Now let's verify the JWT (you should always discard JWTs that don't match an expected signature):`

code block formatting change 2014-09-19 17:47:01 -04:00			```java
Update README.md Updating docs to reflect `Jwt` type instead of `Token` type 2014-09-26 19:31:08 -04:00			`Jwt jwt = Jwts.parser().setSigningKey(key).parse(compactJwt);`
Initial commit! 2014-09-18 22:14:22 -04:00
updated Readme release notes 2014-09-26 20:52:40 -04:00			`assert ((Claims)jwt.getBody()).getSubject().equals("Joe");`
code block formatting change 2014-09-19 17:47:01 -04:00			```
Initial commit! 2014-09-18 22:14:22 -04:00
			`You have to love one-line code snippets in Java!`

			But what if signature validation failed? You can catch `SignatureException` and react accordingly:

code block formatting change 2014-09-19 17:47:01 -04:00			```java
			`try {`
Initial commit! 2014-09-18 22:14:22 -04:00
Update README.md Updating docs to reflect `Jwt` type instead of `Token` type 2014-09-26 19:31:08 -04:00			`Jwts.parser().setSigningKey(key).parse(compactJwt);`
Initial commit! 2014-09-18 22:14:22 -04:00
code block formatting change 2014-09-19 17:47:01 -04:00			`//OK, we can trust this JWT`
Initial commit! 2014-09-18 22:14:22 -04:00
code block formatting change 2014-09-19 17:47:01 -04:00			`} catch (SignatureException e) {`
Initial commit! 2014-09-18 22:14:22 -04:00
code block formatting change 2014-09-19 17:47:01 -04:00			`//don't trust the JWT!`
			`}`
			```
Initial commit! 2014-09-18 22:14:22 -04:00
			`## Supported Features`

Made some documentation clarifications 2014-09-19 17:30:47 -04:00			`* Creating and parsing plaintext compact JWTs`
Initial commit! 2014-09-18 22:14:22 -04:00
Update README.md 2014-09-25 16:42:16 -04:00			`* Creating, parsing and verifying digitally signed compact JWTs (aka JWSs) with the following algorithms:`
Initial commit! 2014-09-18 22:14:22 -04:00			`* HS256: HMAC using SHA-384`
			`* HS384: HMAC using SHA-384`
			`* HS512: HMAC using SHA-512`
			`* RS256: RSASSA-PKCS-v1_5 using SHA-256`
			`* RS384: RSASSA-PKCS-v1_5 using SHA-384`
			`* RS512: RSASSA-PKCS-v1_5 using SHA-512`
			`* PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256`
			`* PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384`
			`* PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512`

			`## Currently Unsupported Features`

Update README.md 2014-09-25 16:43:41 -04:00			`* [Non-compact](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-7.2) serialization and parsing.`
			* Elliptic Curve signature algorithms `ES256`, `ES384` and `ES512`.
			`* JWE (Encryption for JWT)`
Initial commit! 2014-09-18 22:14:22 -04:00
Made some documentation clarifications 2014-09-19 17:30:47 -04:00			`These feature sets will be implemented in a future release when possible. Community contributions are welcome!`
Update README.md Added notes for projects that might have existing dependencies on an older Jackson version. 2014-09-26 16:32:19 -04:00
updated Readme release notes 2014-09-26 20:52:40 -04:00			`## Release Notes`

			`### 0.2`

			`#### More convenient Claims building`

			This release adds convenience methods to the `JwtBuilder` interface so you can set claims directly on the builder without having to create a separate Claims instance/builder, reducing the amount of code you have to write. For example, this:

			```java
			`Claims claims = Jwts.claims().setIssuer("Me").setSubject("Joe");`

			`String compactJwt = Jwts.builder().setClaims(claims).signWith(HS256, key).compact();`
			```

			`can now be written as:`

			```java
			`String compactJwt = Jwts.builder().setIssuer("Me").setSubject("Joe").signWith(HS256, key).compact();`
			```

Doc update 2014-09-26 20:59:16 -04:00			`A Claims instance based on the specified claims will be created and set as the JWT's payload automatically.`
updated Readme release notes 2014-09-26 20:52:40 -04:00
Update README.md Added notes for projects that might have existing dependencies on an older Jackson version. 2014-09-26 16:32:19 -04:00			`<a name="olderJackson"></a>`
			`#### Already using an older Jackson dependency?`

Update README.md 2014-09-26 16:48:11 -04:00			`JJWT depends on Jackson 2.4.x (or later). If you are already using a Jackson version in your own application less than 2.x, for example 1.9.x, you will likely see [runtime errors](https://github.com/jwtk/jjwt/issues/1). To avoid this, you should change your project build configuration to explicitly point to a 2.x version of Jackson. For example:`
Update README.md Added notes for projects that might have existing dependencies on an older Jackson version. 2014-09-26 16:32:19 -04:00
			```xml
			`<dependency>`
			`<groupId>com.fasterxml.jackson.core</groupId>`
			`<artifactId>jackson-databind</artifactId>`
			`<version>2.4.2</version>`
			`</dependency>`
			```