1*e7b1675dSTing-Kang Chang# Python JWT signature example 2*e7b1675dSTing-Kang Chang 3*e7b1675dSTing-Kang ChangThis example shows how to generate and verify Json Web Tokens (JWT) with Tink. 4*e7b1675dSTing-Kang Chang 5*e7b1675dSTing-Kang ChangIt demonstrates the basic steps of using Tink, namely loading key material, 6*e7b1675dSTing-Kang Changobtaining a primitive, and using the primitive to do crypto. 7*e7b1675dSTing-Kang Chang 8*e7b1675dSTing-Kang ChangThe key material was generated with: 9*e7b1675dSTing-Kang Chang 10*e7b1675dSTing-Kang Chang```shell 11*e7b1675dSTing-Kang Chang$ tinkey create-keyset --key-template JWT_ES256 --out-format JSON \ 12*e7b1675dSTing-Kang Chang --out jwt_test_private_keyset.json 13*e7b1675dSTing-Kang Chang 14*e7b1675dSTing-Kang Chang$ tinkey create-public-keyset --in jwt_test_private_keyset.json \ 15*e7b1675dSTing-Kang Chang --in-format JSON --out jwt_test_public_keyset.json --out-format JSON 16*e7b1675dSTing-Kang Chang``` 17*e7b1675dSTing-Kang Chang 18*e7b1675dSTing-Kang ChangNote that these keysets use Tink's JSON keyset format, which is different and 19*e7b1675dSTing-Kang Changnot compatible with JSON Web Key set (JWK set) format. 20*e7b1675dSTing-Kang Chang 21*e7b1675dSTing-Kang Chang## Build and run 22*e7b1675dSTing-Kang Chang 23*e7b1675dSTing-Kang Chang### Bazel 24*e7b1675dSTing-Kang Chang 25*e7b1675dSTing-Kang ChangBuild the examples: 26*e7b1675dSTing-Kang Chang 27*e7b1675dSTing-Kang Chang```shell 28*e7b1675dSTing-Kang Chang$ git clone https://github.com/google/tink 29*e7b1675dSTing-Kang Chang$ cd tink/python/examples 30*e7b1675dSTing-Kang Chang$ bazel build ... 31*e7b1675dSTing-Kang Chang``` 32*e7b1675dSTing-Kang Chang 33*e7b1675dSTing-Kang ChangGenerate a JWT token using the private keyset: 34*e7b1675dSTing-Kang Chang 35*e7b1675dSTing-Kang Chang```shell 36*e7b1675dSTing-Kang Chang$ touch token_file.txt 37*e7b1675dSTing-Kang Chang 38*e7b1675dSTing-Kang Chang$ ./bazel-bin/jwt/jwt_sign \ 39*e7b1675dSTing-Kang Chang --private_keyset_path ./jwt/jwt_test_private_keyset.json \ 40*e7b1675dSTing-Kang Chang --audience "audience" --token_path token_file.txt 41*e7b1675dSTing-Kang Chang``` 42*e7b1675dSTing-Kang Chang 43*e7b1675dSTing-Kang ChangYou can convert the public keyset into 44*e7b1675dSTing-Kang Chang[JWK Set](https://datatracker.ietf.org/doc/html/rfc7517#section-5) format. This 45*e7b1675dSTing-Kang Changis useful if you want to share the public keyset with someone who is not using 46*e7b1675dSTing-Kang ChangTink. Note that this functionality was added after the release v1.7.0. 47*e7b1675dSTing-Kang Chang 48*e7b1675dSTing-Kang Chang```shell 49*e7b1675dSTing-Kang Chang$ touch public_jwk_set.json 50*e7b1675dSTing-Kang Chang 51*e7b1675dSTing-Kang Chang$ ./bazel-bin/jwt/jwt_generate_public_jwk_set \ 52*e7b1675dSTing-Kang Chang --public_keyset_path ./jwt/jwt_test_private_keyset.json \ 53*e7b1675dSTing-Kang Chang --public_jwk_set_path public_jwk_set.json 54*e7b1675dSTing-Kang Chang``` 55*e7b1675dSTing-Kang Chang 56*e7b1675dSTing-Kang ChangYou can verify a token using a public keyset given in JWK Set format: 57*e7b1675dSTing-Kang Chang 58*e7b1675dSTing-Kang Chang```shell 59*e7b1675dSTing-Kang Chang$ ./bazel-bin/jwt/jwt_verify \ 60*e7b1675dSTing-Kang Chang --public_jwk_set_path public_jwk_set.json \ 61*e7b1675dSTing-Kang Chang --audience "audience" --token_path token_file.txt 62*e7b1675dSTing-Kang Chang``` 63