JSON Web Token (JWT)

Server Smalltalk Guide : JSON Web Token (JWT) : JSON Web Token (JWT)

Description

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

Decode, verify and validate a JWT

| encoded jwt keyStore verified |
encoded := 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'.
"Decode the jwt"
jwt := SstJwt fromCompactString: encoded.
"output the claims"
Transcript cr; show: 'claims: ',(jwt claims asJsonString: true).
"create key store to verify the signature"
keyStore := SstJwkStore new 
    addKey:
        '{"kty": "oct",
        "k": "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"}' asJwk;
    yourself.
verified := (jwt verifyWith: keyStore) waitFor.
Transcript cr; show: ('Verified: %1' bindWith: verified asString).
"alternatively, create and verify the JsonWebToken together"
jwt = (SstJwt decode: encoded verifyWith: keyStore) waitFor.
"validate the claims"
jwt claims validateWithTolerance: 3 issuer: 'alice' audience: nil

Create a JWT

|claims builder jws|
claims := SstJwtClaims fromJson: '{
    "exp": ', (DateAndTime now + (Duration hours: 4)) asUnixTime asString,',
    "iss": "alice"}'.
"create a builder, encoding the JWT in a JWS, so using SstJwsBuilder"
builder := SstJwsBuilder new.
builder contentJson: claims asJsonObject.
"add a key to sign, can only add one for JWT"
builder 
    addRecipientWith: '{
        "kty": "oct",
        "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
        }' asJwk
    algorithm: 'HS256'.

"build the jws"
jws := builder build.
"output the compact serialization"
Transcript cr; show: ('jwt compact serialization: %1' bindWith: jws asCompactString).

Class Methods

_PRAGMA_NlsCatJwt

  %%PRAGMA DECLARE
    (name: NlsCatJwt isPool: true pragma: 'NLS jwt')
    (pool: NlsCatJwt declarations: (
        (name: MxJwt1 comment: 'Nested JWTs are not yet supported.')
        (name: MxJwt2 comment: 'Jwt is expired.')
        (name: MxJwt3 comment: 'Jwt issuer does not match

loaded

No comment

localize

  Localize the receiver application to the default messages locale.
    This method MUST reset any strings that are being 
    cached by the application or its classes. This must be done after 
    the relocalizeTo: line.

Instance Methods

None

Last modified date: 01/15/2026