JWT

A pure Luma JSON Web Token library. No external dependencies — it implements JWT signing, verification, and decoding using Luma’s crypto and json standard libraries.

Features

• HS256 signing and verification (HMAC-SHA256)
• HS512 signing and verification (HMAC-SHA512)
• Payload decoding without verification
• Header inspection
• Constant-time signature comparison (crypto.equal)
• Standards-compliant tokens (RFC 7519)

Quick Start

jwt = import "jwt"

// Sign a token
token: str = jwt.encode({"sub": "1001", "name": "Alice"}, "my-secret")
print(token)

// Verify and decode
payload: any = jwt.verify(token, "my-secret")
name: str = payload["name"].to_str()
print(name)

// Check validity without decoding
valid: bool = jwt.is_valid(token, "my-secret")
print(valid)

Installation

1. Download the module file: jwt.luma
2. Place it in your project directory (or a lib/ folder)
3. Import it in your code:

jwt = import "jwt"

API Reference

Usage

Signing a token

jwt = import "jwt"

token: str = jwt.encode({
    "sub": "1001",
    "name": "Alice",
    "role": "admin"
}, "my-secret")

The default algorithm is HS256. Use jwt.encode_512() for HS512:

token: str = jwt.encode_512({"sub": "1001"}, "my-secret")

Verifying a token

payload: any = jwt.verify(token, "my-secret")
name: str = payload["name"].to_str()

verify() panics if the signature is invalid. Use is_valid() for a boolean check:

if jwt.is_valid(token, "my-secret") {
    payload: any = jwt.decode(token)
    // ...
}

Inspecting without verification

claims: any = jwt.decode(token)
hdr: any = jwt.header(token)
alg: str = hdr["alg"].to_str()