#okta #jwt


A helper library for working with JWT's for Okta in Rust

16 unstable releases (6 breaking)

0.7.0 Jul 30, 2023
0.6.1 Apr 20, 2023
0.5.0 Feb 8, 2023
0.4.5 Nov 17, 2022
0.1.1 Apr 20, 2021

#90 in Authentication

Download history 49/week @ 2023-08-10 76/week @ 2023-08-17 22/week @ 2023-08-24 39/week @ 2023-08-31 68/week @ 2023-09-07 82/week @ 2023-09-14 53/week @ 2023-09-21 19/week @ 2023-09-28 13/week @ 2023-10-05 51/week @ 2023-10-12 23/week @ 2023-10-19 42/week @ 2023-10-26 23/week @ 2023-11-02 45/week @ 2023-11-09 200/week @ 2023-11-16 137/week @ 2023-11-23

432 downloads per month


382 lines


Rust crates.io Docs.rs

The purpose of this library is to help with the verification of access and ID tokens issued by Okta. Check the API Docs for more details.

Minimum Supported Rust Version (MSRV)



With cargo add installed :

cargo add okta-jwt-verifier



This example attempts to retrieve the keys from the provided Okta authorization server, decodes the token header to identify the key id, attempts to find a matching key, attempts to decode the token, and finally attempts to deserialize the claims.

This method will attempt to retrieve the keys upon each request unless a cache feature is enabled.

use okta_jwt_verifier::{Verifier, DefaultClaims};

async fn main() -> anyhow::Result<()> {
    let token = "token";
    let issuer = "https://your.domain/oauth2/default";


Optional Configurations

This method will attempt to retrieve the keys using the provided endpoint (default: "/v1/keys")

use okta_jwt_verifier::{Config, Verifier, DefaultClaims};

async fn main() -> anyhow::Result<()> {
    let token = "token";
    let issuer = "https://your.domain/oauth2/default";
    let config: Config =
            Config { keys_endpoint: Some("/oauth2/v1/keys".to_owned()) };
    Verifier::new_with_config(&issuer, config)

This example shows the use of optional configurations for validation.

use okta_jwt_verifier::Verifier;
use serde::{Deserialize, Serialize};
use std::collections::HashSet;

// You can provide your own Claims struct or use the provided defaults
// This example matches okta_jwt_verifier::DefaultClaims
#[derive(Serialize, Deserialize)]
pub struct Claims {
    pub iss: String,
    pub sub: String,
    pub scp: Option<Vec<String>>,
    pub cid: Option<String>,
    pub uid: Option<String>,
    pub exp: u64,
    pub iat: u64,

let token = "token";
let issuer = "https://your.domain/oauth2/default";
let mut aud = HashSet::new();

let claims = Verifier::new(&issuer)
    // An optional leeway (in seconds) can be provided to account for clock skew (default: 120)
    // Optional audience claims can be provided to validate against
    // Adding a single aud entry without building a HashSet manually
    // An optional client ID can be provided to match against the cid claim

Key Caching

This example matches the basic example but would cache the keys on disk. Requires the cache-surf or cache-reqwest feature to be enabled (disabled by default). Creates an http-cacache directory relative to the working directory where the cache files will reside.

With cargo add installed :

For surf:

cargo add okta-jwt-verifier --features cache-surf

For reqwest:

cargo add okta-jwt-verifier --no-default-features --features client-reqwest,cache-reqwest

Tide Middleware

This example implements the basic usage example as tide middleware.

ISSUER="https://your.domain/oauth2/default" cargo run --example tide_middleware_basic


The following features are available. By default client-surf is enabled.

  • client-surf feature that enables the surf client for remote requests. This is enabled by default.
  • cache-surf feature that enables cache on disk to store keys when using the surf client (respects cache-control). This is disabled by default.
  • client-reqwest feature that enables the reqwest client for remote requests. This is disabled by default.
  • cache-reqwest feature that enables cache on disk to store keys when using the reqwest client (respects cache-control). This is disabled by default.



Licensed under either of

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


~379K SLoC