Pitch
Hello everyone,
Now we've released the Beta of JWTKit v5 we feel we're in a good position to pitch this to the incubation process. We're not anticipating any API changes unless anything comes up before we tag the final release.
Motivation
JWTs are an extremely powerful and popular tool used for safe data transfer between two parties in a distributed system and any modern server-side ecosystem provides its users with a JWT library.
Proposed Solution
JWTKit is Vapor's JWT library, it supports all modern signing and verifying algorithms (HS, RS, PS, ES, EdDSA), and is used by thousands of server applications. We feel it would make a good addition to the SSWG incubation process as it is well maintained, built with ecosystem standards and well battle tested. The last version sees the eradication of BoringSSL replaced by SwiftCrypto and the conformance of the library's types to Sendable.
JWTKit provides the user with most operations needed to process JWTs, and a customisation API for the options that are not present.
JWTKit's API revolves around the JWTKeyCollection type, which, as the name suggests, is a collection of keys which can sign and verify tokens. It's an actor, which means that access to its state is async:
let keys = JWTKeyCollection()
try await keys.addES256(key: ES256PrivateKey(pem: yourPEMString))
after creating a payload type:
struct TestPayload: JWTPayload { ... }
this collection can both sign:
let payload = TestPayload( ... )
let tokenStringRepresentation = try await keys.sign(payload)
and verify:
let payload = try await keys.verify(tokenStringRepresentation, as: TestPayload.self)
More details on the API can be found on the package's README
