OpenSkillIndex← back to search
claude-code

Asi implementing-jwt-signing-and-verification

JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256

install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/implementing-jwt-signing-and-verification" ~/.claude/skills/plurigrid-asi-implementing-jwt-signing-and-verification && rm -rf "$T"
manifest: plugins/asi/skills/implementing-jwt-signing-and-verification/SKILL.md
tags
#cryptography#jwt#authentication#token-security#digital-signatures
source content

Implementing JWT Signing and Verification

Overview

JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256, RSA-PSS, and EdDSA algorithms, along with verification, token expiration, claims validation, and defense against common JWT attacks (algorithm confusion, none algorithm, key injection).

When to Use

  • When deploying or configuring implementing jwt signing and verification capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Implement JWT signing with HS256, RS256, ES256, and EdDSA
  • Verify JWT signatures and validate standard claims
  • Implement token expiration, not-before, and audience validation
  • Defend against algorithm confusion and none algorithm attacks
  • Implement JWT key rotation with JWK Sets
  • Build a complete authentication middleware

Key Concepts

JWT Algorithms

AlgorithmTypeKeySecurity Level
HS256Symmetric (HMAC)Shared secret128-bit
RS256Asymmetric (RSA)RSA key pair112-bit
ES256Asymmetric (ECDSA)P-256 key pair128-bit
EdDSAAsymmetric (Ed25519)Ed25519 pair128-bit

Common JWT Attacks

  • Algorithm confusion: Switching from RS256 to HS256, using public key as HMAC secret
  • None algorithm: Setting alg=none to bypass signature verification
  • Key injection: Embedding key in JWK header
  • Weak secrets: Brute-forcing short HMAC secrets
  • Token replay: Reusing valid tokens without expiration

Security Considerations

  • Always validate the algorithm header against an allowlist
  • Never accept alg=none in production
  • Use asymmetric algorithms (RS256, ES256) for distributed systems
  • Set short expiration times (15 min for access tokens)
  • Implement token refresh mechanism
  • Store secrets securely (not in source code)

Validation Criteria

  • JWT signing produces valid tokens for all algorithms
  • Signature verification rejects tampered tokens
  • Expired tokens are rejected
  • Algorithm confusion attack is prevented
  • None algorithm is rejected
  • JWK key rotation works correctly
  • Claims validation enforces all required claims