MCPcopy Index your code
hub / github.com/auth0/java-jwt

github.com/auth0/java-jwt @4.5.2 sqlite

repository ↗ · DeepWiki ↗ · release 4.5.2 ↗
1,120 symbols 6,541 edges 76 files 156 documented · 14% 10 cross-repo links
README

Note As part of our ongoing commitment to best security practices, we have rotated the signing keys used to sign previous releases of this SDK. As a result, new patch builds have been released using the new signing key. Please upgrade at your earliest convenience.

While this change won't affect most developers, if you have implemented a dependency signature validation step in your build process, you may notice a warning that past releases can't be verified. This is expected, and a result of the key rotation process. Updating to the latest version will resolve this for you.

A Java implementation of JSON Web Token (JWT) - RFC 7519.

Build Status Coverage Status License Maven Central javadoc Ask DeepWiki

:books: Documentation - :rocket: Getting Started - :computer: API Reference :speech_balloon: Feedback

Documentation

  • Examples - code samples for common java-jwt scenarios.
  • Docs site - explore our docs site and learn more about Auth0.

Getting Started

Requirements

This library is supported for Java LTS versions 8, 11, 17 and 21. For issues on non-LTS versions above 8, consideration will be given on a case-by-case basis.

java-jwt is intended for server-side JVM applications. Android applications should use JWTDecode.Android.

java-jwt supports the following algorithms for both signing and verification:

JWS Algorithm Description
HS256 HMAC256 HMAC with SHA-256
HS384 HMAC384 HMAC with SHA-384
HS512 HMAC512 HMAC with SHA-512
RS256 RSA256 RSASSA-PKCS1-v1_5 with SHA-256
RS384 RSA384 RSASSA-PKCS1-v1_5 with SHA-384
RS512 RSA512 RSASSA-PKCS1-v1_5 with SHA-512
ES256 ECDSA256 ECDSA with curve P-256 and SHA-256
ES384 ECDSA384 ECDSA with curve P-384 and SHA-384
ES512 ECDSA512 ECDSA with curve P-521 and SHA-512

Note - Support for ECDSA with curve secp256k1 and SHA-256 (ES256K) has been dropped since it has been disabled in Java 15

:warning: Important security note: JVM has a critical vulnerability for ECDSA Algorithms - CVE-2022-21449. Please review the details of the vulnerability and update your environment.

Installation

Add the dependency via Maven:

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>java-jwt</artifactId>
  <version>4.5.2</version>
</dependency>

or Gradle:

implementation 'com.auth0:java-jwt:4.5.2'

Create a JWT

Use JWT.create(), configure the claims, and then call sign(algorithm) to sign the JWT.

The example below demonstrates this using the RS256 signing algorithm:

try {
    Algorithm algorithm = Algorithm.RSA256(rsaPublicKey, rsaPrivateKey);
    String token = JWT.create()
        .withIssuer("auth0")
        .sign(algorithm);
} catch (JWTCreationException exception){
    // Invalid Signing configuration / Couldn't convert Claims.
}

Verify a JWT

Create a JWTVerifier passing the Algorithm, and specify any required claim values.

The following example uses RS256 to verify the JWT.

String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE";
DecodedJWT decodedJWT;
try {
    Algorithm algorithm = Algorithm.RSA256(rsaPublicKey, rsaPrivateKey);
    JWTVerifier verifier = JWT.require(algorithm)
        // specify any specific claim validations
        .withIssuer("auth0")
        // reusable verifier instance
        .build();

    decodedJWT = verifier.verify(token);
} catch (JWTVerificationException exception){
    // Invalid signature/claims
}

If the token has an invalid signature or the Claim requirement is not met, a JWTVerificationException will be thrown.

See the examples and JavaDocs for additional documentation.

API Reference

Feedback

Contributing

We appreciate feedback and contribution to this repo! Before you get started, please see the following:

Raise an issue

To provide feedback or report a bug, please raise an issue on our issue tracker.

Vulnerability Reporting

Please do not report security vulnerabilities on the public Github issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.


<img alt="Auth0 Logo" src="https://github.com/auth0/java-jwt/raw/4.5.2/auth0_light_mode.png" width="150">

Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?

This project is licensed under the MIT license. See the LICENSE file for more info.

Extension points exported contracts — how you extend this code

JWTVerifier (Interface)
Used to verify the JWT for its signature and claims. Implementations must be thread-safe. Instances are created using {@ [7 …
lib/src/main/java/com/auth0/jwt/interfaces/JWTVerifier.java
Verification (Interface)
Constructs and holds the checks required for a JWT to be considered valid. Note that implementations are not</st [4 implementers]
lib/src/main/java/com/auth0/jwt/interfaces/Verification.java
Payload (Interface)
The Payload class represents the 2nd part of the JWT, where the Payload value is held. [4 implementers]
lib/src/main/java/com/auth0/jwt/interfaces/Payload.java
Claim (Interface)
The Claim class holds the value in a generic way so that it can be recovered in many representations. [3 implementers]
lib/src/main/java/com/auth0/jwt/interfaces/Claim.java
Header (Interface)
The Header class represents the 1st part of the JWT, where the Header value is held. [3 implementers]
lib/src/main/java/com/auth0/jwt/interfaces/Header.java

Core symbols most depended-on inside this repo

decode
called by 244
lib/src/main/java/com/auth0/jwt/JWT.java
HMAC256
called by 190
lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java
build
called by 146
lib/src/main/java/com/auth0/jwt/interfaces/Verification.java
verify
called by 139
lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java
init
called by 113
lib/src/main/java/com/auth0/jwt/JWTVerifier.java
verify
called by 101
lib/src/main/java/com/auth0/jwt/interfaces/JWTVerifier.java
sign
called by 94
lib/src/main/java/com/auth0/jwt/JWTCreator.java
init
called by 83
lib/src/main/java/com/auth0/jwt/JWTCreator.java

Shape

Method 1,040
Class 69
Interface 11

Languages

Java100%

Modules by API surface

lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java96 symbols
lib/src/test/java/com/auth0/jwt/algorithms/ECDSAAlgorithmTest.java86 symbols
lib/src/test/java/com/auth0/jwt/algorithms/ECDSABouncyCastleProviderTests.java75 symbols
lib/src/test/java/com/auth0/jwt/JWTCreatorTest.java64 symbols
lib/src/test/java/com/auth0/jwt/algorithms/AlgorithmTest.java57 symbols
lib/src/test/java/com/auth0/jwt/impl/JsonNodeClaimTest.java48 symbols
lib/src/test/java/com/auth0/jwt/algorithms/RSAAlgorithmTest.java45 symbols
lib/src/test/java/com/auth0/jwt/JWTDecoderTest.java43 symbols
lib/src/test/java/com/auth0/jwt/JWTTest.java39 symbols
lib/src/main/java/com/auth0/jwt/JWTVerifier.java38 symbols
lib/src/test/java/com/auth0/jwt/impl/PayloadSerializerTest.java27 symbols
lib/src/main/java/com/auth0/jwt/JWTCreator.java26 symbols

For agents

$ claude mcp add java-jwt \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact