jwt-go

jwt-go is a Go library for working with JSON Web Tokens, a standard format for passing signed claims between systems. A JSON Web Token is a compact string made of three parts: a header describing the signing method used, a payload containing the actual data (called claims), and a cryptographic signature that lets the receiver verify the token has not been tampered with. JWTs are commonly used in authentication systems, for example as the bearer token in OAuth 2 flows.

This library handles the four core operations: creating a token, signing it, parsing a received token, and verifying the signature. It supports symmetric signing with HMAC (where the same secret is used to both sign and verify), and asymmetric signing with RSA and ECDSA (where a private key signs and a public key verifies). The library also allows you to plug in your own signing methods if the built-ins do not cover your case.

The README includes a practical note about a common security mistake: always verify that the algorithm in the incoming token is the one you expect. Some JWT libraries have historically been vulnerable to attacks where a malicious token claims to use the none algorithm and bypasses signature verification entirely. This library requires explicit opt-in to accept unsigned tokens.

One important note: this repository is no longer maintained. The author transferred the project to a community-maintained fork at golang-jwt/jwt, which is where active development continues. If you are starting a new project or need recent bug fixes, the maintained fork is the right place to look. This repository remains available for reference and for existing code that still imports the old package path.