2014-09-19 15:00:25 -04:00
[![Build Status ](https://travis-ci.org/jwtk/jjwt.svg?branch=master )](https://travis-ci.org/jwtk/jjwt)
2015-10-27 21:55:52 -04:00
[![Coverage Status ](https://coveralls.io/repos/jwtk/jjwt/badge.svg?branch=master )](https://coveralls.io/r/jwtk/jjwt?branch=master)
2014-09-12 21:06:24 -04:00
2015-05-12 21:49:43 -04:00
# Java JWT: JSON Web Token for Java and Android
2014-09-18 22:14:22 -04:00
2014-09-25 16:52:02 -04:00
JJWT aims to be the easiest to use and understand library for creating and verifying JSON Web Tokens (JWTs) on the JVM.
2014-09-19 23:22:49 -04:00
2015-12-11 12:48:50 -05:00
JJWT is a 'clean room' implementation based solely on the [JWT ](https://tools.ietf.org/html/rfc7519 ), [JWS ](https://tools.ietf.org/html/rfc7515 ), [JWE ](https://tools.ietf.org/html/rfc7516 ), [JWK ](https://tools.ietf.org/html/rfc7517 ) and [JWA ](https://tools.ietf.org/html/rfc7518 ) RFC specifications.
2014-09-25 16:49:59 -04:00
2014-09-19 23:22:49 -04:00
## Installation
2015-05-12 21:49:43 -04:00
Use your favorite Maven-compatible build tool to pull the dependency (and its transitive dependencies) from Maven Central:
2014-11-19 22:33:29 -05:00
Maven:
2014-09-19 23:22:49 -04:00
```xml
< dependency >
< groupId > io.jsonwebtoken< / groupId >
< artifactId > jjwt< / artifactId >
2015-10-12 19:22:44 -04:00
< version > 0.6.0< / version >
2014-09-19 23:22:49 -04:00
< / dependency >
```
2014-11-19 22:33:29 -05:00
Gradle:
```groovy
2014-11-19 22:31:37 -05:00
dependencies {
2015-10-12 19:22:44 -04:00
compile 'io.jsonwebtoken:jjwt:0.6.0'
2014-11-19 22:31:37 -05:00
}
```
2014-09-19 23:22:49 -04:00
2016-02-23 20:41:48 -05:00
Release changes are viewable in the [change log ](https://github.com/jwtk/jjwt/blob/master/changelog.md )
2014-09-26 16:32:19 -04:00
Note: JJWT depends on Jackson 2.x. If you're already using an older version of Jackson in your app, [read this ](#olderJackson )
2014-09-19 23:22:49 -04:00
## Usage
2014-09-27 01:26:36 -04:00
Most complexity is hidden behind a convenient and readable builder-based [fluent interface ](http://en.wikipedia.org/wiki/Fluent_interface ), great for relying on IDE auto-completion to write code quickly. Here's an example:
2014-09-18 22:14:22 -04:00
2014-09-19 17:47:01 -04:00
```java
2014-09-19 23:23:29 -04:00
import io.jsonwebtoken.Jwts;
2015-03-14 20:44:56 -04:00
import io.jsonwebtoken.SignatureAlgorithm;
2015-05-12 21:49:43 -04:00
import io.jsonwebtoken.impl.crypto.MacProvider;
2015-05-12 21:55:15 -04:00
import java.security.Key;
2014-09-19 23:22:49 -04:00
2015-03-14 20:44:56 -04:00
// We need a signing key, so we'll create one just for this example. Usually
// the key would be read from your application configuration instead.
2015-05-13 16:04:11 -04:00
Key key = MacProvider.generateKey();
2014-09-18 22:14:22 -04:00
2015-05-12 21:49:43 -04:00
String s = Jwts.builder().setSubject("Joe").signWith(SignatureAlgorithm.HS512, key).compact();
2014-09-19 17:47:01 -04:00
```
2014-09-18 22:14:22 -04:00
How easy was that!?
Now let's verify the JWT (you should always discard JWTs that don't match an expected signature):
2014-09-19 17:47:01 -04:00
```java
2015-05-12 21:51:59 -04:00
assert Jwts.parser().setSigningKey(key).parseClaimsJws(s).getBody().getSubject().equals("Joe");
2014-09-19 17:47:01 -04:00
```
2014-09-18 22:14:22 -04:00
2014-11-19 22:45:47 -05:00
You have to love one-line code snippets!
2014-09-18 22:14:22 -04:00
But what if signature validation failed? You can catch `SignatureException` and react accordingly:
2014-09-19 17:47:01 -04:00
```java
try {
2014-09-18 22:14:22 -04:00
2015-09-11 14:28:43 -04:00
Jwts.parser().setSigningKey(key).parseClaimsJws(compactJwt);
2014-09-18 22:14:22 -04:00
2014-09-19 17:47:01 -04:00
//OK, we can trust this JWT
2014-09-18 22:14:22 -04:00
2014-09-19 17:47:01 -04:00
} catch (SignatureException e) {
2014-09-18 22:14:22 -04:00
2014-09-19 17:47:01 -04:00
//don't trust the JWT!
}
```
2014-09-18 22:14:22 -04:00
## Supported Features
2014-09-19 17:30:47 -04:00
* Creating and parsing plaintext compact JWTs
2014-09-18 22:14:22 -04:00
2015-05-08 02:36:03 -04:00
* Creating, parsing and verifying digitally signed compact JWTs (aka JWSs) with all standard JWS algorithms:
2015-04-17 12:59:16 -04:00
* HS256: HMAC using SHA-256
2014-09-18 22:14:22 -04:00
* HS384: HMAC using SHA-384
* HS512: HMAC using SHA-512
* RS256: RSASSA-PKCS-v1_5 using SHA-256
* RS384: RSASSA-PKCS-v1_5 using SHA-384
* RS512: RSASSA-PKCS-v1_5 using SHA-512
* PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
* PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
* PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512
2015-05-08 02:36:03 -04:00
* ES256: ECDSA using P-256 and SHA-256
* ES384: ECDSA using P-384 and SHA-384
* ES512: ECDSA using P-512 and SHA-512
2014-09-18 22:14:22 -04:00
## Currently Unsupported Features
2014-09-25 16:43:41 -04:00
* [Non-compact ](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-7.2 ) serialization and parsing.
* JWE (Encryption for JWT)
2014-09-18 22:14:22 -04:00
2014-09-19 17:30:47 -04:00
These feature sets will be implemented in a future release when possible. Community contributions are welcome!
2014-09-26 16:32:19 -04:00
2015-07-31 20:40:35 -04:00
## Learn More
- [JSON Web Token for Java and Android ](https://stormpath.com/blog/jjwt-how-it-works-why/ )
- [How to Create and Verify JWTs in Java ](https://stormpath.com/blog/jwt-java-create-verify/ )
2016-02-23 20:41:48 -05:00
- [Where to Store Your JWTs - Cookies vs HTML5 Web Storage ](https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ )
- [Use JWT the Right Way! ](https://stormpath.com/blog/jwt-the-right-way/ )
- [Token Authentication for Java Applications ](https://stormpath.com/blog/token-auth-for-java/ )
2015-07-31 20:40:35 -04:00
## Author
Maintained by [Stormpath ](https://stormpath.com/ )
2014-09-26 16:32:19 -04:00
#### Already using an older Jackson dependency?
2014-09-26 16:48:11 -04:00
JJWT depends on Jackson 2.4.x (or later). If you are already using a Jackson version in your own application less than 2.x, for example 1.9.x, you will likely see [runtime errors ](https://github.com/jwtk/jjwt/issues/1 ). To avoid this, you should change your project build configuration to explicitly point to a 2.x version of Jackson. For example:
2014-09-26 16:32:19 -04:00
```xml
< dependency >
< groupId > com.fasterxml.jackson.core< / groupId >
< artifactId > jackson-databind< / artifactId >
< version > 2.4.2< / version >
< / dependency >
```
2015-07-31 20:40:35 -04:00
## Licensing
This project is open-source via the [Apache 2.0 License ](http://www.apache.org/licenses/LICENSE-2.0 ).