Represents the client JWT Auth provider, which is used to authenticate with an external endpoint by issuing a
self-signed JWT.
```ballerina
jwt:ClientSelfSignedJwtAuthProvider provider = new({
    issuer: "example",
    audience: ["ballerina"],
    keyStoreConfig: {
        keyAlias: "ballerina",
        keyPassword: "ballerina",
        keyStore: {
            path: "/path/to/keystore.p12",
            password: "ballerina"
        }
    }
});
```


Provides authentication based on the provided JWT configurations.



init

issuerConfig

IssuerConfig

Issues a self-signed JWT for authentication.
```ballerina
string|auth:Error token = provider.generateToken();
```



generateToken

Generated token or else an `auth:Error` if token can't be generated


ClientSelfSignedJwtAuthProvider

Represents the listener JWT Auth provider, which authenticates by validating a JWT.
```ballerina
jwt:ListenerJwtAuthProvider provider = new({
    issuer: "example",
    audience: "ballerina",
    signatureConfig: {
        certificateAlias: "ballerina",
        trustStore: {
            path: "/path/to/truststore.p12",
            password: "ballerina"
        }
    }
});
```



Provides authentication based on the provided JWT.



validatorConfig

ValidatorConfig

Authenticates provided JWT against `jwt:ValidatorConfig`.
```ballerina
boolean|auth:Error result = provider.authenticate("<credential>");
```



authenticate

credential

string

`jwt:Payload` if authentication is successful or else an `auth:Error` if JWT validation failed


ListenerJwtAuthProvider

NONE

RS256

RS384

RS512

## Package Overview

This package provides a listener JWT authentication provider, which can be used to authenticate the provided credentials against the provided JWT validator configurations, and a client self-signed JWT authentication provider, which can be used to authenticate against an external endpoint with a self-signed JWT issued against the provided JWT issuer configurations. Also, this module provides the functionality related to issuing and validating a JWT.

For information on the operations, which you can perform with this module, see the below **Functions**. For examples on the usage of the operations, see the following.
 * [JWT Issue/Validate Example](https://ballerina.io/learn/by-example/jwt-issue-validate.html)
 * [HTTP Service with JWT Auth Example](https://ballerina.io/learn/by-example/http-service-with-jwt-auth.html)
 * [HTTP Client with Self Signed JWT Auth Example](https://ballerina.io/learn/by-example/http-client-with-self-signed-jwt-auth.html)
 * [HTTP Client with Bearer Token Auth Example](https://ballerina.io/learn/by-example/http-client-with-bearer-token-auth.html)


HTTP_1_1

HTTP_2

HttpVersion

Represents the JWT error. This will be returned if an error occurred while issuing/validating a JWT or any operation
related to JWT.


Error

Decodes the provided JWT string.
```ballerina
[jwt:Header, jwt:Payload]|jwt:Error [header, payload] = jwt:decode(jwt);
```



decode

The `jwt:Header` and `jwt:Payload` as a  tuple or else a `jwt:Error` if token decoding fails


Issues a JWT based on the provided configurations. JWT will be signed (JWS) if `crypto:KeyStore` information is
provided in the `jwt:KeyStoreConfig` and the `jwt:SigningAlgorithm` is not `jwt:NONE`.
```ballerina
string|jwt:Error jwt = jwt:issue(issuerConfig);
```



issue

JWT as a `string` or else a `jwt:Error` if token issuing fails


Validates the provided JWT, against the provided configurations.
```ballerina
jwt:Payload|jwt:Error result = jwt:validate(jwt, validatorConfig);
```



validate

`jwt:Payload` or else a `jwt:Error` if token validation fails


Payload

Represents combination of certificate, private key and private key password if encrypted.



certFile

keyFile

Password of the private key (if encrypted)


keyPassword

CertKey

Represents the configurations of the client used to call the JWKS endpoint.



httpVersion

secureSocket

SecureSocket

ClientConfiguration

Cryptographic algorithm used to secure the JWS


SigningAlgorithm

Content type, convey structural information about the JWT


Key ID, hint indicating which key was used to secure the JWS


Header

JWT username, which is mapped to the `sub`


username

JWT issuer, which is mapped to the `iss`


issuer

JWT audience, which is mapped to the `aud`


audience

jwtId

keyId

customClaims

json

expTime

decimal

signatureConfig

IssuerSignatureConfig

Represents JWT signature configurations.



algorithm

KeyStore configurations or private key configurations


config

    record {|
        crypto:KeyStore keyStore;
        string keyAlias;
        string keyPassword;
    |} 

record {|
        string keyFile;
        string keyPassword?;
    |} 

Issuer, identifies the principal that issued the JWT


Subject, identifies the principal that is the subject of the JWT


Audience, identifies the recipients that the JWT is intended for


Expiration time, identifies the expiration time (seconds since the Epoch) on or after which the JWT must not be accepted


Not before, identifies the time (seconds since the Epoch) before which the JWT must not be accepted


Issued at, identifies the time (seconds since the Epoch) at which the JWT was issued


disable

boolean

Configurations associated with the `crypto:TrustStore` or single certificate file that the client trusts


cert

TrustStore

Configurations associated with the `crypto:KeyStore` or combination of certificate and private key of the client


KeyStore

Represents JWT validator configurations.



Expected issuer, which is mapped to the `iss`


Expected audience, which is mapped to the `aud`


Clock skew (in seconds) that can be used to avoid token validation failures due to clock synchronization problems


clockSkew

ValidatorSignatureConfig

Configurations related to the cache, which are used to store parsed JWT information


cacheConfig

CacheConfig

jwksConfig

    record {|
        string url;
        cache:CacheConfig cacheConfig?;
        ClientConfiguration clientConfig = {};
    |} 

trustStoreConfig

    record {|
        crypto:TrustStore trustStore;
        string certAlias;
    |} 

This package provides a listener JWT authentication provider, which can be used to authenticate the provided credentials against the provided JWT validator configurations, and a client self-signed JWT authentication provider, which can be used to authenticate against an external endpoint with a self-signed JWT issued against the provided JWT issuer configurations. Also, this module provides the functionality related to issuing and validating a JWT.


The cryptographic algorithms used to secure the JWS.


Represents the client JWT Auth provider, which is used to authenticate with an external endpoint by issuing a
self-signed JWT.

Represents the listener JWT Auth provider, which authenticates by validating a JWT.

Issues a JWT based on the provided configurations.

Validates the provided JWT, against the provided configurations.

This package provides a listener JWT authentication provider, which can be used to authenticate the provided credentials against the provided JWT validator configurations, and a client self-signed JWT authentication provider, which can be used to authenticate against an external endpoint with a self-signed JWT issued against the provided JWT issuer configurations.

Represents combination of certificate, private key and private key password if encrypted.

Represents the configurations of the client used to call the JWKS endpoint.

The cryptographic algorithms used to secure the JWS.

ballerina/jwt
1.1.0-alpha8
1.1.0-beta.2 1.1.0-beta.1 1.1.0-alpha8

Package Overview

Functions

Classes

Records

Constants

Enums

Types

Errors

decode	Decodes the provided JWT string.
issue	Issues a JWT based on the provided configurations.
validate	Validates the provided JWT, against the provided configurations.

NONE	Unsecured JWS (no signing).
RS256	The `RSA-SHA256` algorithm.
RS384	The `RSA-SHA384` algorithm.
RS512	The `RSA-SHA512` algorithm.

ballerina/jwt1.1.0-alpha81.1.0-beta.21.1.0-beta.11.1.0-alpha8