Skip to content

Encrypt tokens

Per the specification:

JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification.

Token Encryption is a 2-step process, between the producer and the recipient:

  • Key sharing: both party agree on a way to share a Content-Encryption Key (CEK). This method is described in the "alg" header of the JWT.
  • Encryption: both party agree on an algorithm used to encrypt the claims of the token. This algorithm takes the CEK as an input, and can either produce or decode claims. This algorithm is described in the "enc" header of the JWT.

Key sharing

First, choose a Key Manager to agree on a Content-Encryption Key with the recipient:

Encryption

Once you have a Key Manager, and a Content-Encryption Key, you can encrypt your token.

WARNING

The CEK MUST have a specific length, depending on the "enc" value used (depends on the selected method and preset). You can refer to JSON Web Keys for hints on how to generate a valid CEK for your algorithm.

go
package main

import (
	"github.com/a-novel-kit/jwt"
	"github.com/a-novel-kit/jwt/jwe"
)

func main() {
	// Create one using any of the methods above.
	var manager jwe.CEKManager

	encrypter := jwe.NewAESCBCEncryption(
		&jwe.AESCBCEncryptionConfig{CEKManager: manager},
		jwe.A128CBCHS256,
	)

	producer := jwt.NewProducer(jwt.ProducerConfig{
		Plugins: []jwt.ProducerPlugin{encrypter},
	})
}

Available presets:

PresetTarget "enc"
jwe.A128CBCHS256A128CBC-HS256
jwe.A192CBCHS384A192CBC-HS384
jwe.A256CBCHS512A256CBC-HS512