[Pitch] JWTKit

Pitch

Hello everyone,
Now we've released the Beta of JWTKit v5 we feel we're in a good position to pitch this to the incubation process. We're not anticipating any API changes unless anything comes up before we tag the final release.

Motivation

JWTs are an extremely powerful and popular tool used for safe data transfer between two parties in a distributed system and any modern server-side ecosystem provides its users with a JWT library.

Proposed Solution

JWTKit is Vapor's JWT library, it supports all modern signing and verifying algorithms (HS, RS, PS, ES, EdDSA), and is used by thousands of server applications. We feel it would make a good addition to the SSWG incubation process as it is well maintained, built with ecosystem standards and well battle tested. The last version sees the eradication of BoringSSL replaced by SwiftCrypto and the conformance of the library's types to Sendable.

JWTKit provides the user with most operations needed to process JWTs, and a customisation API for the options that are not present.

JWTKit's API revolves around the JWTKeyCollection type, which, as the name suggests, is a collection of keys which can sign and verify tokens. It's an actor, which means that access to its state is async:

let keys = JWTKeyCollection()
try await keys.addES256(key: ES256PrivateKey(pem: yourPEMString))

after creating a payload type:

struct TestPayload: JWTPayload { ... }

this collection can both sign:

let payload = TestPayload( ... )
let tokenStringRepresentation = try await keys.sign(payload)

and verify:

let payload = try await keys.verify(tokenStringRepresentation, as: TestPayload.self)

More details on the API can be found on the package's README

15 Likes

Hi Paul, sorry for the wait -- while there was not much discussion on the pitch the library looks good.

We can run the review immediately but I'd like to ask you to make an proposal Pull Request using this template to that repository. Once you made the pull request we can run the proper review immediately.

Please consider the maturity levels when you decide what level you'd like to be reviewed under. It seems like Incubating might be good for this, especially since it has more than 2 active developers which is the usual problem with that level.

I'll run the review so please ping me on the PR (@ktoso on github)

This is now under review :slight_smile:

1 Like