JWT๏ƒ

Inherits: Object

Singleton for JSON Web Token (JWT) encoding, decoding, validation, and cryptographic operations.

Description๏ƒ

The JWT singleton provides a toolkit for Godot to handle RFC-7519 JSON Web Tokens. It supports encoding, decoding, and validation of JWTs using RS256 and HS256 algorithms. It also provides functionality for key rotation, and token revocation via JTIs.

var builder = JWTBuilder.new().set_algorithm('HS256').add_claim('user', 'admin')
var token = builder.sign('secret')
print(JWT.parse(token).get_claim_as_string('user'))

Methods๏ƒ

String

base64url_decode(b64url: String)

String

base64url_encode(str: String)

void

clear_revoked()

String

create_jwt(header: Dictionary, payload: Dictionary, key: Variant)

String

create_jwt_hs256(header: Dictionary, payload: Dictionary, secret: String)

String

create_jwt_rs256(header: Dictionary, payload: Dictionary, key: CryptoKey)

String

create_jwt_timed(header: Dictionary, payload: Dictionary, key: Variant, validity_seconds: float)

Dictionary

decode(jwt: String)

String

get_algorithm(jwt: String)

Variant

get_claim(jwt: String, claim: String)

Dictionary

get_header(jwt: String)

String

get_kid(jwt: String)

Dictionary

get_payload(jwt: String)

String

get_signature(jwt: String)

bool

has_claim(jwt: String, claim: String)

bool

is_expired(jwt: String)

bool

is_revoked(jti: String) const

DecodedJWT

parse(jwt: String)

void

revoke_jti(jti: String)

bool

validate(jwt: String, key: Variant)

bool

validate_any(jwt: String, keys: Array)

bool

validate_claims(jwt: String, expected_claims: Dictionary)

PackedStringArray

validate_claims_diagnostic(jwt: String, expected_claims: Dictionary)

Dictionary

validate_diagnostic(jwt: String, key: Variant)

bool

validate_header_claims(jwt: String, expected_claims: Dictionary)

bool

validate_signature_hs256(jwt: String, secret: String)

bool

validate_signature_rs256(jwt: String, key: CryptoKey)

bool

validate_timing(jwt: String, leeway_seconds: float = 0.0)

bool

validate_with_map(jwt: String, key_map: Dictionary)


Method Descriptions๏ƒ

String base64url_decode(b64url: String) ๐Ÿ”—

Decodes a Base64Url-encoded string into a standard String.


String base64url_encode(str: String) ๐Ÿ”—

Encodes a String into a Base64Url-encoded string.


void clear_revoked() ๐Ÿ”—

Clears all revoked JTIs from the internal blacklist cache.


String create_jwt(header: Dictionary, payload: Dictionary, key: Variant) ๐Ÿ”—

Creates a JWT from a header and payload dictionary. The key type depends on the algorithm.


String create_jwt_hs256(header: Dictionary, payload: Dictionary, secret: String) ๐Ÿ”—

Creates a JWT signed with HMAC SHA-256 (HS256) using a given secret string.


String create_jwt_rs256(header: Dictionary, payload: Dictionary, key: CryptoKey) ๐Ÿ”—

Creates a JWT signed with RSA (RS256) using a CryptoKey.


String create_jwt_timed(header: Dictionary, payload: Dictionary, key: Variant, validity_seconds: float) ๐Ÿ”—

Deprecated. Prefer using JWTBuilder with JWTBuilder.set_expiration() instead.


Dictionary decode(jwt: String) ๐Ÿ”—

Decodes the JWT payload into a dictionary without validating the signature. Do not use for authentication.


String get_algorithm(jwt: String) ๐Ÿ”—

Extracts the algorithm (alg) from the unverified JWT header.


Variant get_claim(jwt: String, claim: String) ๐Ÿ”—

Extracts a specific claim from the unverified JWT payload.


Dictionary get_header(jwt: String) ๐Ÿ”—

Decodes and returns the JWT header as a dictionary without validating the signature.


String get_kid(jwt: String) ๐Ÿ”—

Extracts the Key ID (kid) from the unverified JWT header.


Dictionary get_payload(jwt: String) ๐Ÿ”—

Decodes and returns the JWT payload as a dictionary without validating the signature.


String get_signature(jwt: String) ๐Ÿ”—

Extracts the signature portion of the JWT.


bool has_claim(jwt: String, claim: String) ๐Ÿ”—

Returns true if the unverified JWT payload contains the specified claim.


bool is_expired(jwt: String) ๐Ÿ”—

Checks whether the JWT is expired based on its exp claim. Does not validate the signature.


bool is_revoked(jti: String) const ๐Ÿ”—

Checks whether the specified JTI has been explicitly revoked in the internal blacklist.


DecodedJWT parse(jwt: String) ๐Ÿ”—

Parses an encoded JWT string and returns a DecodedJWT object for easier inspection. Does not validate the signature.


void revoke_jti(jti: String) ๐Ÿ”—

Adds a JTI claim to the internal blacklist. Any future validation of tokens containing this JTI will fail.


bool validate(jwt: String, key: Variant) ๐Ÿ”—

Validates the JWT's signature against the provided key. The key must be a String for HS256 or a CryptoKey for RS256.


bool validate_any(jwt: String, keys: Array) ๐Ÿ”—

Validates the JWT's signature against an array of keys. It returns true if any key correctly validates the token.


bool validate_claims(jwt: String, expected_claims: Dictionary) ๐Ÿ”—

Validates that the JWT payload contains the exact claims specified in the expected_claims dictionary.


PackedStringArray validate_claims_diagnostic(jwt: String, expected_claims: Dictionary) ๐Ÿ”—

Validates claims against the expected_claims dictionary and returns an array of keys that failed validation.


Dictionary validate_diagnostic(jwt: String, key: Variant) ๐Ÿ”—

Evaluates the JWT signature and structural validity, returning a dictionary detailing valid, error, and internal constraints.


bool validate_header_claims(jwt: String, expected_claims: Dictionary) ๐Ÿ”—

Validates that the JWT header contains the exact claims specified in the expected_claims dictionary.


bool validate_signature_hs256(jwt: String, secret: String) ๐Ÿ”—

Validates an HS256 JWT signature using the explicit string secret.


bool validate_signature_rs256(jwt: String, key: CryptoKey) ๐Ÿ”—

Validates an RS256 JWT signature using the provided CryptoKey.


bool validate_timing(jwt: String, leeway_seconds: float = 0.0) ๐Ÿ”—

Validates the exp (expiration) and nbf (not before) claims against the current time, with an optional clock leeway in seconds.


bool validate_with_map(jwt: String, key_map: Dictionary) ๐Ÿ”—

Validates the JWT using a map of keys. It automatically selects the correct key from the key_map dictionary based on the token's kid header.