explaingit

dgrijalva/jwt-go

10,756GoAudience · developerComplexity · 2/5Setup · easy

TLDR

A Go library for creating, signing, parsing, and verifying JSON Web Tokens, note this repo is unmaintained, the active successor is golang-jwt/jwt which is the right place for new projects.

Mindmap

mindmap
  root((jwt-go))
    What it does
      Create tokens
      Sign tokens
      Parse tokens
      Verify signatures
    Signing methods
      HMAC symmetric
      RSA asymmetric
      ECDSA asymmetric
      Custom methods
    Use cases
      User authentication
      OAuth 2 bearer
      API authorization
    Security note
      Algorithm enforcement
      Avoid none exploit
    Status
      Unmaintained
      golang-jwt fork active
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Add JWT-based authentication to a Go web service by signing a token at login and verifying it on each subsequent request.

USE CASE 2

Implement OAuth 2 bearer token validation in a Go API using RSA asymmetric signing so the private key never leaves your auth server.

USE CASE 3

Parse and inspect JWT claims in a Go middleware function to authorize user actions based on roles stored in the token payload.

Tech stack

Go

Getting it running

Difficulty · easy Time to first run · 30min

This repo is unmaintained, migrate to golang-jwt/jwt for ongoing bug fixes and security patches.

In plain English

jwt-go is a Go library for working with JSON Web Tokens, a standard format for passing signed claims between systems. A JSON Web Token is a compact string made of three parts: a header describing the signing method used, a payload containing the actual data (called claims), and a cryptographic signature that lets the receiver verify the token has not been tampered with. JWTs are commonly used in authentication systems, for example as the bearer token in OAuth 2 flows. This library handles the four core operations: creating a token, signing it, parsing a received token, and verifying the signature. It supports symmetric signing with HMAC (where the same secret is used to both sign and verify), and asymmetric signing with RSA and ECDSA (where a private key signs and a public key verifies). The library also allows you to plug in your own signing methods if the built-ins do not cover your case. The README includes a practical note about a common security mistake: always verify that the algorithm in the incoming token is the one you expect. Some JWT libraries have historically been vulnerable to attacks where a malicious token claims to use the none algorithm and bypasses signature verification entirely. This library requires explicit opt-in to accept unsigned tokens. One important note: this repository is no longer maintained. The author transferred the project to a community-maintained fork at golang-jwt/jwt, which is where active development continues. If you are starting a new project or need recent bug fixes, the maintained fork is the right place to look. This repository remains available for reference and for existing code that still imports the old package path.

Copy-paste prompts

Prompt 1
Using jwt-go in Go, create a signed JWT with HMAC-SHA256 that includes a user ID and expiry claim, then verify and parse it. Show the full code.
Prompt 2
How do I use jwt-go to sign a JWT with an RSA private key and verify it with the corresponding public key? Show the Go code for both operations.
Prompt 3
I want to add JWT authentication middleware to a Go HTTP server using jwt-go. Show me a middleware function that checks the Authorization header and rejects invalid tokens.
Prompt 4
What is the algorithm confusion attack with JWT, and how does jwt-go's API help prevent it? Show the correct way to parse a token while enforcing the expected algorithm.
Open on GitHub → Explain another repo

← dgrijalva on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.