JWTPlus is an open-source solution designed to simplify JWT management and security. Whether you're looking for installation guides, API references, or best practices, this documentation has you covered. Use JWTPlus to handle token issuance, revocation, key rotation, and more - all without the hassle of manual JWT handling.
Browse through the sections below to get started! 🚀
Choosing the Right JWT Signing Algorithm
When securing communication with JSON Web Tokens (JWTs), selecting the right signing algorithm is essential.
System Requirements for JWTPlus Installation
Before installing JWTPlus, ensure your system meets the minimum hardware and software requirements.
Automated Installation Guide for JWTPlus
Setting up JWTPlus is now easier than ever with our automated installation scripts.
Manual Installation Guide for JWTPlus
This guide provides step-by-step instructions for manually installing JWTPlus on a Linux server.
JWTPlus Configuration Guide
Learn how to configure jwtplus.yaml for JWTPlus, including server settings, database connections, and automatic SSL certificate generation using Let's Encrypt.
Contributing to JWTPlus
Whether you're a developer or a non-technical contributor, there are many ways to help, from coding and testing to documentation and translations.
Managing applications and security requires powerful administrative controls. These API endpoints are exclusively designed for root users, enabling them to create, update, delete, and secure applications. Root users can rotate keys, flush active JWT sessions, and enforce security measures in case of a compromise. These calls ensure full control over authentication and authorization within the system.
GET /root/list List All Onboarded Projects
Learn how to use the JWTPlus List All Onboarded Projects API to retrieve project information easily.
GET /root/rotate Rotate Root Key
This API generates a new root key while preserving system integrity.
POST /root/create Create a New Project
This API creates a new project in JWTPlus and returns unique credentials required for all future app-based API calls.
PATCH /root/{app_id} Update an Existing Project
This API updates an existing project’s details using its app-id and root-key. You can modify fields like name, description, token expiration & refresh, and key rotation settings.
GET /root/{app_id}/rotate/key Rotate App Key for Enhanced Security
This API regenerates a new app key for an existing project. Use this when an app key is compromised or needs to be updated.
GET /root/{app_id}/rotate/pki Emergency Public-Private Key Rotation
Revoke all active JWT tokens and generate a new public-private key pair in case of a security breach.
DELETE /root/{app_id}/flush Flush All Active JWT Tokens
This API call forcefully invalidates all active JWT authentication and refresh tokens for a given application. All users will be required to log in again.
DELETE /root/{app_id} Delete an Existing Project
This API deletes an existing project using its app-id and root-key. Once deleted, the app’s credentials will no longer be valid and all the JWT tokens will be revoked immediately.
JWTPlus provides a comprehensive set of API endpoints designed for seamless integration and secure token management. Whether you're retrieving project settings, signing tokens, verifying authenticity, or revoking access, our APIs ensure high performance and reliability.
GET /health Health Check API
Learn how the Health Check API helps load balancers monitor the availability and status of JWTPlus.
GET /app/{app_id} Retrieve Project Settings
Fetch the configured settings for your project using the app-key.
GET /app/{app_id}/pub-keys Retrieve All Public Keys for a Project
Fetch active, revoked, and expired public keys for frontend JWT verification.
POST /app/{app_id}/sign Generate Signed Auth & Refresh Tokens
This API generates signed authentication (auth_token) and refresh (refresh_token) tokens using the app's settings.
POST /app/{app_id}/verify Verify a Signed JWT Token
This API verifies a given JWT (auth or refresh token) against the app's signing key, ensuring validity by checking expiration time, revoked keys, and not before (nbf) restrictions.
POST /app/{app_id}/renew Renew JWT Token
This API renews an authentication token using a valid refresh token.
POST /app/{app_id}/get-session Retrieve Active Login Sessions
This API retrieves all active login sessions associated with a given user (sub).
POST /app/{app_id}/revoke-token Retrieve Active Login Sessions
This API allows an application to revoke a user's JWT token, logging them out and preventing further authentication using the given token.