jwtk/jjwt

JJWT is a Java library for creating, signing, and verifying JSON Web Tokens. A JWT is a compact piece of text that carries information about a user or system in a way that can be trusted. JWTs are most commonly used for authentication: a server issues a token after a user logs in, and other services verify that token without hitting a database. JJWT handles all the cryptographic work behind the scenes through a simple, readable builder API. The library supports three types of tokens. A plain JWT carries claims with no security protection. A signed JWT (called a JWS) adds a digital signature so any party with the right key can confirm the data has not been modified. An encrypted JWT (called a JWE) goes further by hiding the payload entirely so only authorized parties can read it. JJWT covers all standard signing algorithms (HMAC, RSA, ECDSA, EdDSA) and all standard encryption algorithms defined in the JOSE specifications. Working with the API looks like this: call a builder, set a subject claim, sign it with a key, and call compact() to get a short string you can pass in HTTP headers or URLs. Verifying is a single line: parse it with the same key, and the library throws an exception if the signature fails or the token has expired. JJWT also handles JSON Web Keys (JWKs), the standard format for representing cryptographic keys as JSON. The library runs on Java 8 and later, and on Android. Installation requires three dependencies via Maven or Gradle: the public API, the internal implementation (declared runtime-only so internal details can change without breaking your code), and a JSON adapter for Jackson or Gson. Android projects need Proguard rules and optionally the BouncyCastle security provider for certain advanced algorithms. JJWT is open source under the Apache 2.0 license, ships with nearly 1,700 tests at enforced 100% code coverage, and fully implements the relevant JOSE RFC specifications. The full README is longer than what was shown.