Class Jwt

java.lang.Object

com.codename1.security.Jwt

public final class Jwt
extends Object

JSON Web Token (RFC 7519) signing and verification.

Supported algorithms:

• HS256, HS384, HS512 -- HMAC with SHA-2. Pure Java, available on every platform.
• RS256, RS384, RS512 -- RSA-PKCS1-v1_5 with SHA-2. Backed by the platform's native crypto via Signature.
• ES256, ES384, ES512 -- ECDSA with SHA-2. Backed by the platform's native crypto via Signature.
• none -- unsigned tokens. Accepted on the signing side only when caller explicitly passes it; rejected on verification unless caller opts in via verifyAllowNoneAlgorithm.

Sign a token

Map<String, Object> claims = new HashMap<String, Object>();
claims.put("sub", "user-123");
claims.put("exp", System.currentTimeMillis() / 1000 + 3600);

String token = Jwt.signHs256(claims, "secret".getBytes("UTF-8"));

Verify and read claims

Jwt parsed = Jwt.parse(token);
if (!parsed.verifyHs256("secret".getBytes("UTF-8"))) {
    throw new SecurityException("bad signature");
}
String sub = (String) parsed.getClaim("sub");

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ES256	ECDSA with SHA-256 ("ES256")
static final String	ES384	ECDSA with SHA-384 ("ES384")
static final String	ES512	ECDSA with SHA-512 ("ES512")
static final String	HS256	HMAC-SHA-256 ("HS256")
static final String	HS384	HMAC-SHA-384 ("HS384")
static final String	HS512	HMAC-SHA-512 ("HS512")
static final String	NONE	Unsigned token marker -- verification rejects this unless the caller explicitly opts in.
static final String	RS256	RSA PKCS#1 v1.5 with SHA-256 ("RS256")
static final String	RS384	RSA PKCS#1 v1.5 with SHA-384 ("RS384")
static final String	RS512	RSA PKCS#1 v1.5 with SHA-512 ("RS512")

Method Summary

Modifier and Type	Method	Description
String	getAlgorithm()	Returns the alg field from the JWT header (e.g. "HS256").
Object	getClaim(String name)	Returns the value of a single claim, or null if the claim is absent.
Map<String,Object>	getClaims()	Returns the parsed claims (token payload) as an unmodifiable view into the original map.
Map<String,Object>	getHeader()	Returns the parsed header as an unmodifiable view into the original map.
byte[]	getSignature()	Returns the raw bytes of the signature segment as decoded from URL-safe base64.
static Jwt	parse(String token)	Parses an encoded JWT into a Jwt object.
void	setVerifyAllowNoneAlgorithm(boolean allow)	When set to true, verify(PublicKey) will accept tokens whose alg header is none (i.e. unsigned).
static String	sign(Map<String,Object> claims, byte[] secret, String algorithm)	Signs claims with the given HMAC algorithm.
static String	sign(Map<String,Object> claims, PrivateKey privateKey, String algorithm)	Signs claims with the given RSA or ECDSA algorithm.
static String	signHs256(Map<String,Object> claims, byte[] secret)	Signs claims with HS256 and returns the encoded token.
static String	signHs384(Map<String,Object> claims, byte[] secret)	Signs claims with HS384 and returns the encoded token.
static String	signHs512(Map<String,Object> claims, byte[] secret)	Signs claims with HS512 and returns the encoded token.
static String	signNone(Map<String,Object> claims)	Builds an unsigned token (header {"alg":"none"}).
boolean	verify(PublicKey publicKey)	Verifies an RSA or ECDSA signature using the given public key.
boolean	verifyHs256(byte[] secret)	Verifies with a shared HMAC secret.
boolean	verifyHs384(byte[] secret)	HMAC verification with HS384.
boolean	verifyHs512(byte[] secret)	HMAC verification with HS512.

Methods inherited from class Object

clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

HS256

public static final String HS256

HMAC-SHA-256 ("HS256")

See Also:

• Constant Field Values

HS384

public static final String HS384

HMAC-SHA-384 ("HS384")

See Also:

• Constant Field Values

HS512

public static final String HS512

HMAC-SHA-512 ("HS512")

See Also:

• Constant Field Values

RS256

public static final String RS256

RSA PKCS#1 v1.5 with SHA-256 ("RS256")

See Also:

• Constant Field Values

RS384

public static final String RS384

RSA PKCS#1 v1.5 with SHA-384 ("RS384")

See Also:

• Constant Field Values

RS512

public static final String RS512

RSA PKCS#1 v1.5 with SHA-512 ("RS512")

See Also:

• Constant Field Values

ES256

public static final String ES256

ECDSA with SHA-256 ("ES256")

See Also:

• Constant Field Values

ES384

public static final String ES384

ECDSA with SHA-384 ("ES384")

See Also:

• Constant Field Values

ES512

public static final String ES512

ECDSA with SHA-512 ("ES512")

See Also:

• Constant Field Values

NONE

public static final String NONE

Unsigned token marker -- verification rejects this unless the caller explicitly opts in.

See Also:

• Constant Field Values

Method Details

signHs256

public static String signHs256(Map<String,Object> claims,
 byte[] secret)

Signs claims with HS256 and returns the encoded token.

signHs384

public static String signHs384(Map<String,Object> claims,
 byte[] secret)

Signs claims with HS384 and returns the encoded token.

signHs512

public static String signHs512(Map<String,Object> claims,
 byte[] secret)

Signs claims with HS512 and returns the encoded token.

sign

public static String sign(Map<String,Object> claims,
 byte[] secret,
 String algorithm)

Signs claims with the given HMAC algorithm. Use this when you want to pass the algorithm dynamically.

sign

public static String sign(Map<String,Object> claims,
 PrivateKey privateKey,
 String algorithm)

Signs claims with the given RSA or ECDSA algorithm.

Parameters

• claims: token body

• privateKey: signing key -- must match the algorithm family

• algorithm: one of RS256, RS384, RS512, ES256, ES384, ES512

signNone

public static String signNone(Map<String,Object> claims)

Builds an unsigned token (header {"alg":"none"}). Accepting these on the verify side is dangerous -- see verifyAllowNoneAlgorithm.

parse

public static Jwt parse(String token)

Parses an encoded JWT into a Jwt object. The signature is NOT verified -- you must call one of the verify* methods afterwards.

setVerifyAllowNoneAlgorithm

public void setVerifyAllowNoneAlgorithm(boolean allow)

When set to true, verify(PublicKey) will accept tokens whose alg header is none (i.e. unsigned). The default is false because in most JWT deployments accepting unsigned tokens is a critical security bug. Only enable this if you have very deliberately decided that you trust the transport.

verifyHs256

public boolean verifyHs256(byte[] secret)

Verifies with a shared HMAC secret. The token's alg header is read and must be one of the HS family.

verifyHs384

public boolean verifyHs384(byte[] secret)

HMAC verification with HS384.

verifyHs512

public boolean verifyHs512(byte[] secret)

HMAC verification with HS512.

verify

public boolean verify(PublicKey publicKey)

Verifies an RSA or ECDSA signature using the given public key. The algorithm must match the token's alg header (RS256/384/512 or ES256/384/512).

getAlgorithm

public String getAlgorithm()

Returns the alg field from the JWT header (e.g. "HS256").

getHeader

public Map<String,Object> getHeader()

Returns the parsed header as an unmodifiable view into the original map. Mutating it has undefined behaviour.

getClaims

public Map<String,Object> getClaims()

Returns the parsed claims (token payload) as an unmodifiable view into the original map. Mutating it has undefined behaviour.

getClaim

public Object getClaim(String name)

Returns the value of a single claim, or null if the claim is absent.

getSignature

public byte[] getSignature()

Returns the raw bytes of the signature segment as decoded from URL-safe base64. May be empty for unsigned tokens.