1# Python JWT signature example 2 3This example shows how to generate and verify Json Web Tokens (JWT) with Tink. 4 5It demonstrates the basic steps of using Tink, namely loading key material, 6obtaining a primitive, and using the primitive to do crypto. 7 8The key material was generated with: 9 10```shell 11$ tinkey create-keyset --key-template JWT_ES256 --out-format JSON \ 12 --out jwt_test_private_keyset.json 13 14$ tinkey create-public-keyset --in jwt_test_private_keyset.json \ 15 --in-format JSON --out jwt_test_public_keyset.json --out-format JSON 16``` 17 18Note that these keysets use Tink's JSON keyset format, which is different and 19not compatible with JSON Web Key set (JWK set) format. 20 21## Build and run 22 23### Bazel 24 25Build the examples: 26 27```shell 28$ git clone https://github.com/google/tink 29$ cd tink/python/examples 30$ bazel build ... 31``` 32 33Generate a JWT token using the private keyset: 34 35```shell 36$ touch token_file.txt 37 38$ ./bazel-bin/jwt/jwt_sign \ 39 --private_keyset_path ./jwt/jwt_test_private_keyset.json \ 40 --audience "audience" --token_path token_file.txt 41``` 42 43You can convert the public keyset into 44[JWK Set](https://datatracker.ietf.org/doc/html/rfc7517#section-5) format. This 45is useful if you want to share the public keyset with someone who is not using 46Tink. Note that this functionality was added after the release v1.7.0. 47 48```shell 49$ touch public_jwk_set.json 50 51$ ./bazel-bin/jwt/jwt_generate_public_jwk_set \ 52 --public_keyset_path ./jwt/jwt_test_private_keyset.json \ 53 --public_jwk_set_path public_jwk_set.json 54``` 55 56You can verify a token using a public keyset given in JWK Set format: 57 58```shell 59$ ./bazel-bin/jwt/jwt_verify \ 60 --public_jwk_set_path public_jwk_set.json \ 61 --audience "audience" --token_path token_file.txt 62``` 63