To complete this example you need to have a Vault instance available and unsealed. You will also need the following environment variables set.
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=x.abcdefghijk1234567-
Enable transit engine
vault secrets enable transit -
Create our signing key
vault write -f transit/keys/jwt type=rsa-4096 exportable=true
This python example uses the HVAC client for Vault and the JWCrypto libraries for generating a JWT.
-
Install python dependancies
pip install jwcrypto hvac
-
Generate token with
gen-jwt.py./gen-jwt.py
This will output the JWT and write it to the file
token.jwt -
Verify token with
check-jwt.py./check-jwt.py
This reads the token from the file (
token.jwt) from the previous step and outputs theinfoclaim.# Example $ ./check-jwt.py {"info":"Token signed at: 18/05/2021 15:36:22"}
-
Create a
priv.pemfile with your private key in PEM format. -
Generate token with
gen-jwt.py./gen-jwt.py
This will output the JWT and write it to the file
token.jwt -
Verify token with
check-jwt.py./check-jwt.py
Since the provided private key doesn't come from Vault, the JWT verification will fail.
# Example $ ./check-jwt.py Not signed by key version: 1 Not signed by key version: 2 Not signed by key version: 3 Not signed by key version: 4 Not signed by key version: 5 Token not signed by any key
The private key for signing can be rotated with the rotate-key.py script.
$ ./rotate-key.pyBy default the script uses the latest version of the signing key. This can be
adjusted by setting the KEY_VER environment variable.
export KEY_VER=5
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent