Jwt (jose.Jose.Jwt)

JSON Web Token

type payload = Yojson.Safe.t

type claim = string * Yojson.Safe.t

val empty_payload : payload

type t = {

header : Header.t;
raw_header : string;
payload : payload;
raw_payload : string;
signature : Jws.signature;

}

val add_claim : string -> Yojson.Safe.t -> payload -> payload

val get_yojson_claim : t -> string -> Yojson.Safe.t option

val get_string_claim : t -> string -> string option

val get_int_claim : t -> string -> int option

val to_string : ?serialization:Jws.serialization -> t -> string

val of_string : 
  jwk:'a Jwk.t ->
  now:Ptime.t ->
  string ->
  (t,
    [> `Expired
    | `Invalid_signature
    | `Msg of string
    | `Not_json
    | `Not_supported ])
    Stdlib.result

of_string ~jwk jwt_string parses and validates the encoded JWT string.

val unsafe_of_string : 
  string ->
  (t, [> `Msg of string | `Not_json | `Not_supported ]) Stdlib.result

val to_jws : t -> Jws.t

val of_jws : Jws.t -> t

val validate_signature : 
  jwk:'a Jwk.t ->
  t ->
  (t, [> `Invalid_signature | `Msg of string ]) Stdlib.result

validate_signature ~jwk t checks if the JWT is valid and then calls Jws.validate to validate the signature

val check_expiration : now:Ptime.t -> t -> (t, [> `Expired ]) Stdlib.result

check_expiration ~now t checks whether the JWT is valid at the current time.

val validate : 
  jwk:'a Jwk.t ->
  now:Ptime.t ->
  t ->
  (t, [> `Expired | `Invalid_signature | `Msg of string ]) Stdlib.result

validate ~jwk ~now t does the same validation as `validate_signature` and additionally checks expiration.

val sign : 
  ?header:Header.t ->
  payload:payload ->
  Jwk.priv Jwk.t ->
  (t, [> `Msg of string ]) Stdlib.result

sign header payload priv creates a signed JWT from header and payload

We will start using a private JWK instead of a Mirage_crypto_pk.Rsa.priv soon