Back to Details

jwt-encode

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

JWT Encode

JWT 编码

Create and sign JWTs for testing and development.
用于测试和开发场景下创建并签名JWT。

Steps

步骤

  1. Gather inputs: claims/payload, algorithm (default: HS256), secret or key, expiration (default: 1 hour).
  2. Build header: 
    {"alg": "HS256", "typ": "JWT"}
    . Add 
    kid
    if provided.
  3. Build payload: Always include 
    iat
    and 
    exp
    unless the user opts out. Add user-specified claims.
  4. Sign the token using the best available method (see below).
  5. Display the result: the full JWT string and a decoded breakdown of header + payload.
  1. 收集输入:声明/载荷、算法(默认:HS256)、密钥、过期时间(默认1小时)。
  2. 构建头部
    {"alg": "HS256", "typ": "JWT"}
    。如果提供了
    kid
    则添加该字段。
  3. 构建载荷:除非用户明确取消,否则始终包含
    iat
    exp
    字段,再添加用户指定的声明。
  4. 使用最优可用方法签名令牌(见下文)。
  5. 展示结果:返回完整的JWT字符串,以及头部+载荷的解码拆解内容。

Signing Methods

签名方法

Pick the first available. Use the user's claims, secret, and algorithm — the examples below are templates only. Always pass the secret via an inline env var to avoid shell history exposure.
Node.js (preferred):
First, ensure 
jose
is available — install it globally if missing:
bash
node --input-type=module -e "await import('jose')" 2>/dev/null || npm install -g jose
Then sign the token:
bash
JWT_SECRET='user-provided-secret' node --input-type=module -e "import {SignJWT} from 'jose'; console.log(await new SignJWT({sub:'1234567890'}).setProtectedHeader({alg:'HS256'}).setIssuedAt().setExpirationTime('1h').sign(new TextEncoder().encode(process.env.JWT_SECRET)))"
Python:
bash
JWT_SECRET='user-provided-secret' python3 -c "import jwt,time; print(jwt.encode({'sub':'1234567890','iat':int(time.time()),'exp':int(time.time())+3600}, __import__('os').environ['JWT_SECRET'], algorithm='HS256'))"
Bash (HMAC-SHA256 only):
bash
header=$(printf '{"alg":"HS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
payload=$(printf '{"sub":"1234567890","iat":1700000000,"exp":1700003600}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
signature=$(printf '%s.%s' "$header" "$payload" | openssl dgst -sha256 -hmac "$JWT_SECRET" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
printf '%s.%s.%s\n' "$header" "$payload" "$signature"
选择首个可用的方法。使用用户提供的声明、密钥和算法——下文示例仅为模板。始终通过内联环境变量传递密钥,避免泄露到shell历史记录中。
Node.js(优先使用):
首先确认
jose
可用,如果缺失则全局安装:
bash
node --input-type=module -e "await import('jose')" 2>/dev/null || npm install -g jose
然后签名令牌:
bash
JWT_SECRET='user-provided-secret' node --input-type=module -e "import {SignJWT} from 'jose'; console.log(await new SignJWT({sub:'1234567890'}).setProtectedHeader({alg:'HS256'}).setIssuedAt().setExpirationTime('1h').sign(new TextEncoder().encode(process.env.JWT_SECRET)))"
Python
bash
JWT_SECRET='user-provided-secret' python3 -c "import jwt,time; print(jwt.encode({'sub':'1234567890','iat':int(time.time()),'exp':int(time.time())+3600}, __import__('os').environ['JWT_SECRET'], algorithm='HS256'))"
Bash(仅支持HMAC-SHA256):
bash
header=$(printf '{"alg":"HS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
payload=$(printf '{"sub":"1234567890","iat":1700000000,"exp":1700003600}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
signature=$(printf '%s.%s' "$header" "$payload" | openssl dgst -sha256 -hmac "$JWT_SECRET" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
printf '%s.%s.%s\n' "$header" "$payload" "$signature"

Generating Test Keys

生成测试密钥

Only when the user needs asymmetric keys:
bash
undefined
仅当用户需要非对称密钥时使用:
bash
undefined

RSA

RSA

openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -pubout -out public.pem
openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -pubout -out public.pem

ECDSA P-256

ECDSA P-256

openssl ecparam -genkey -name prime256v1 -noout -out private-ec.pem && openssl ec -in private-ec.pem -pubout -out public-ec.pem
undefined
openssl ecparam -genkey -name prime256v1 -noout -out private-ec.pem && openssl ec -in private-ec.pem -pubout -out public-ec.pem
undefined

Security Rules

安全规则

  • Never pass secrets as literal command-line arguments. Use environment variables (
    $JWT_SECRET
    ) or file input (
    --secret-file
    ). Command args are visible in shell history and 
    ps
    output.
  • Never install packages without user consent. Do not use 
    npx -y
    or 
    pip install
    silently.
  • If the user doesn't provide a secret, generate a random one with 
    openssl rand -base64 32
    and clearly label it as a test-only secret.
  • alg: none
     — If the user requests it, warn that this creates an unsigned token exploitable via CVE-2015-9235. Only create it after explicit confirmation.
  • Generated key files — Remind the user to delete test keys when done. Never write keys to version-controlled directories.
  • 切勿将密钥作为字面量命令行参数传递。请使用环境变量(
    $JWT_SECRET
    )或文件输入(
    --secret-file
    )。命令参数会在shell历史和
    ps
    输出中可见。
  • 未经用户同意切勿安装任何包。不要静默执行
    npx -y
    pip install
    等命令。
  • 若用户未提供密钥,使用
    openssl rand -base64 32
    生成随机密钥,并明确标注其仅可用于测试。
  • alg: none
     —— 如果用户要求使用该算法,需警告这会生成未签名的令牌,存在CVE-2015-9235漏洞风险,仅在获得用户明确确认后再生成。
  • 生成的密钥文件 —— 提醒用户使用完毕后删除测试密钥,切勿将密钥写入受版本控制的目录。