Join us in Munich, Germany June 17th for BoxLang and BoxLang AI Training
Register
Ctrlk
DownloadTrySourceSupportAI SDK
For the complete documentation index, see llms.txt. This page is also available as Markdown.

JWT +

Premium JWT module for BoxLang+ providing complete JWS signing, JWE encryption, and a fluent token builder with RFC 7518 / RFC 7519 compliance.

This module is only available to +/++ subscribers but can be installed in conjunction with the bx-plus Module with a limited trial.

The bx-jwt module is a production-ready BoxLang library for creating, signing, verifying, encrypting, and decrypting JSON Web Tokens (JWT/JWE). It implements:

  • JWS (JSON Web Signature) β€” signed tokens using HMAC, RSA, or EC keys

  • JWE (JSON Web Encryption) β€” encrypted tokens using RSA or symmetric keys

  • RFC 7518 β€” JSON Web Algorithms

  • RFC 7519 β€” JSON Web Token

πŸš€ Key Features

  • πŸ”‘ HMAC Signing β€” HS256, HS384, HS512 with RFC 7518 minimum key length enforcement

  • πŸ” RSA Signing β€” RS256, RS384, RS512

  • πŸ“ EC Signing β€” ES256 (P-256), ES384 (P-384), ES512 (P-521)

  • πŸ”’ JWE Encryption β€” RSA-OAEP-256, direct symmetric (dir) with A256GCM

  • πŸ—οΈ Named Key Registry β€” register keys by name in module config; reference by name in BIFs

  • πŸ—οΈ Fluent Builder β€” jwtNew() returns a chainable builder for elegant token creation

  • ♻️ Token Refresh β€” jwtRefresh() re-issues tokens with fresh time claims

  • πŸ”“ Decode Without Verify β€” jwtDecode() to inspect headers/claims before choosing a key

  • βœ… Boolean Validation β€” jwtValidate() returns true/false without throwing

  • πŸ”§ Key Generation β€” jwtGenerateSecret() and jwtGenerateKeyPair() helpers

  • ⏱️ Clock Skew β€” configurable tolerance for exp / nbf validation

  • πŸ“‹ Default Claims β€” auto-inject iss, aud, exp, iat, jti from module settings

  • 🚫 alg:none Protection β€” unconditionally rejects unsigned tokens

  • πŸ“‹ Algorithm Allowlist β€” restrict permitted algorithms via module settings

πŸ“¦ Installation

🎯 Registered BIFs

This module registers the following Built-In Functions (BIFs):

Function
Purpose
Documentation

jwtNew()

Returns a fluent JwtBuilder for chainable token construction

Fluent Builder

jwtCreate()

Signs a payload and returns a compact JWS token string

JWTCreate

jwtVerify()

Verifies a JWS signature & claims; throws on failure

JWTVerify

jwtValidate()

Like jwtVerify() but returns true/false instead of throwing

JWTValidate

jwtDecode()

Decodes a JWS token without verifying the signature

JWTDecode

jwtRefresh()

Re-issues a token with fresh iat, jti, optional new exp

JWTRefresh

jwtEncrypt()

Encrypts a payload as a compact JWE token

JWTEncrypt

jwtDecrypt()

Decrypts a JWE token and returns the claims struct

JWTDecrypt

jwtGenerateSecret()

Generates a cryptographically random Base64 HMAC secret (default: 256)

JWTGenerateSecret

jwtGenerateKeyPair()

Generates an RSA or EC key pair as PEM strings

JWTGenerateKeyPair

⚑ Quick Start

Sign & Verify (HMAC)

Sign & Verify (RSA)

Fluent Builder

Encrypt & Decrypt (JWE)

πŸ“š Usage Guides

πŸ”Œ Reference

βœ… Requirements

  • BoxLang Runtime 1.0.0+

  • BoxLang+ License (learn more)

πŸ“„ License

Licensed under the BoxLang Plus Subscription License.

PreviousDistributedLockNextSigning (JWS)

Last updated

Was this helpful?