#jwt #recursion #token #scope #oauth-token #oauth


A recursive Javascript Web Token with support for ECDSA and Falcon

6 releases (breaking)

0.5.0 Jan 26, 2024
0.4.3 Jan 15, 2023
0.4.1 Feb 12, 2021
0.3.1 Feb 11, 2021
0.1.0 Feb 10, 2021

#270 in Authentication

Download history 26/week @ 2024-01-26 5/week @ 2024-02-02 6/week @ 2024-02-16 26/week @ 2024-02-23 8/week @ 2024-03-01 7/week @ 2024-03-08 20/week @ 2024-03-15 24/week @ 2024-03-29 9/week @ 2024-04-05

116 downloads per month
Used in 10 crates (3 directly)


490 lines

Provides an Actor and (de)serializable Token struct which support authenticating JSON Web Tokens with a custom payload. See jwt.io for more information on the JWT spec.

The provided Actor uses the ECDSA algorithm to sign tokens (using the ed25519_dalek crate).

This library differs from other JWT implementations in that it allows for recursive Tokens.

Note that if the same (host, actor) pair is specified multiple times in the token chain, only the latest is returned by Claims::get.


use rjwt::*;

struct Resolver {
    hostname: String,
    actors: HashMap<String, Actor<String>>,
    peers: Vec<Self>,
// ...

impl Resolve for Resolver {
    type HostId = String;
    type ActorId = String;
    type Claims = String;

    async fn resolve(&self, host: &Self::HostId, actor_id: &Self::ActorId) -> Result<Actor<Self::ActorId>, Error> {
        if host == &self.hostname {
            self.actors.get(actor_id).cloned().ok_or_else(|| Error::fetch(actor_id))
        } else if let Some(peer) = self.peers.iter().filter(|p| &p.hostname == host).next() {
            peer.resolve(host, actor_id).await
        } else {

let now = SystemTime::now();

// Say that Bob is a user on example.com.
let bobs_id = "bob".to_string();
let example_dot_com = "example.com".to_string();

let actor_bob = Actor::new(bobs_id.clone());
let example = Resolver::new(example_dot_com.clone(), [actor_bob.clone()], vec![]);

// Bob makes a request through the retailer.com app.
let retailer_dot_com = "retailer.com".to_string();
let retail_app = Actor::new("app".to_string());
let retailer = Resolver::new(

// The retailer.com app makes a request to Bob's bank.
let bank_account = Actor::new("bank".to_string());
let bank = Resolver::new(
    vec![example, retailer.clone()]);

// First, example.com issues a token to authenticate Bob.
let bobs_claim = String::from("I am Bob and retailer.com may debit my bank.com account");

// This requires constructing the token...
let bobs_token = Token::new(

// and signing it with Bob's private key.
let bobs_token = actor_bob.sign_token(bobs_token).expect("signed token");

// Then, retailer.com validates the token...
let bobs_token = block_on(retailer.verify(bobs_token.into_jwt(), now)).expect("claims");
assert!(bobs_token.get_claim(&example_dot_com, &bobs_id).expect("claim").starts_with("I am Bob"));

// and adds its own claim, that Bob owes it $1.
let retailer_claim = String::from("Bob spent $1 on retailer.com");
let retailer_token = retail_app.consume_and_sign(
    now).expect("signed token");

assert_eq!(retailer_token.get_claim(&retailer_dot_com, retail_app.id()), Some(&retailer_claim));
assert_eq!(retailer_token.get_claim(&example_dot_com, actor_bob.id()), Some(&bobs_claim));

// Finally, Bob's bank verifies the token...
let retailer_token_as_received = block_on(bank.verify(retailer_token.jwt().to_string(), now)).expect("claims");
assert_eq!(retailer_token, retailer_token_as_received);

// to authenticate that the request came from Bob...
    .get_claim(&example_dot_com, &bobs_id)
    .starts_with("I am Bob and retailer.com may debit my bank.com account"));

// via retailer.com.
assert!(retailer_token_as_received.get_claim(&retailer_dot_com, retail_app.id()).expect("claim").starts_with("Bob spent $1"));


~108K SLoC