# Class: SignJWT ## [💗 Help the project](https://github.com/sponsors/panva) Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva). The SignJWT class is used to build and sign Compact JWS formatted JSON Web Tokens. This class is exported (as a named export) from the main `'jose'` module entry point as well as from its subpath export `'jose/jwt/sign'`. ## Examples Usage with a symmetric secret ```js const secret = new TextEncoder().encode( 'cc7e0d44fd473002f1c42167459001140ec6389b7353f8088f4d9a95f2f596f2', ) const alg = 'HS256' const jwt = await new jose.SignJWT({ 'urn:example:claim': true }) .setProtectedHeader({ alg }) .setIssuedAt() .setIssuer('urn:example:issuer') .setAudience('urn:example:audience') .setExpirationTime('2h') .sign(secret) console.log(jwt) ``` Usage with a private PKCS#8 encoded RSA key ```js const alg = 'RS256' const pkcs8 = `-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCFg4UrY5xtulv /NXKmL1J4qI1SopAfTNMo3X7p+kJO7plqUYjzaztcre1qfh0m33Sm1Q8oPbO/GpP MU1/HgcceytgJ/b4UwufVVMl9BrMDYG8moDBylbVupFQS3Ly1L9i/iFG9Z9A9xzY Zzf799A45bnvNXL6s2glzvjiRvfQ2NDF0anTcnZLcYtC7ugq1IMM+ihAcPfw8Qw2 chN/SmP4qAM+PKaQwagmU7doqmmyN9u38AfoYZ1GCFhEs5TBBT6H6h9YdHeVtiIq 1c+fl03biSIfLrV7dUBD39gBmXBcL/30Ya3D82mCEUC4zg/UkOfQOmkmV3Lc8YUL QZ8EJkBLAgMBAAECggEAVuVE/KEP6323WjpbBdAIv7HGahGrgGANvbxZsIhm34ls VOPK0XDegZkhAybMZHjRhp+gwVxX5ChC+J3cUpOBH5FNxElgW6HizD2Jcq6t6LoL YgPSrfEHm71iHg8JsgrqfUnGYFzMJmv88C6WdCtpgG/qJV1K00/Ly1G1QKoBffEs +v4fAMJrCbUdCz1qWto+PU+HLMEo+krfEpGgcmtZeRlDADh8cETMQlgQfQX2VWq/ aAP4a1SXmo+j0cvRU4W5Fj0RVwNesIpetX2ZFz4p/JmB5sWFEj/fC7h5z2lq+6Bm e2T3BHtXkIxoBW0/pYVnASC8P2puO5FnVxDmWuHDYQKBgQDTuuBd3+0tSFVEX+DU 5qpFmHm5nyGItZRJTS+71yg5pBxq1KqNCUjAtbxR0q//fwauakh+BwRVCPOrqsUG jBSb3NYE70Srp6elqxgkE54PwQx4Mr6exJPnseM9U4K+hULllf5yjM9edreJE1nV NVgFjeyafQhrHKwgr7PERJ/ikwKBgQDqqsT1M+EJLmI1HtCspOG6cu7q3gf/wKRh E8tu84i3YyBnI8uJkKy92RNVI5fvpBARe3tjSdM25rr2rcrcmF/5g6Q9ImxZPGCt 86eOgO9ErNtbc4TEgybsP319UE4O41aKeNiBTAZKoYCxv/dMqG0j4avmWzd+foHq gSNUvR2maQKBgQCYeqOsV2B6VPY7KIVFLd0AA9/dwvEmgAYLiA/RShDI+hwQ/5jX uxDu37KAhqeC65sHLrmIMUt4Zdr+DRyZK3aIDNEAesPMjw/X6lCXYp1ZISD2yyym MFGH8X8CIkstI9Faf9vf6PJKSFrC1/HA7wq17VCwrUzLvrljTMW8meM/CwKBgCpo 2leGHLFQFKeM/iF1WuYbR1pi7gcmhY6VyTowARFDdOOu8GXYI5/bz0afvCGvAMho DJCREv7lC/zww6zCTPYG+HOj+PjXlJFba3ixjIxYwPvyEJiDK1Ge18sB7Fl8dHNq C5ayaqCqN1voWYUdGzxU2IA1E/5kVo5O8FesJeOhAoGBAImJbZFf+D5kA32Xxhac 59lLWBCsocvvbd1cvDMNlRywAAyhsCb1SuX4nEAK9mrSBdfmoF2Nm3eilfsOds0f K5mX069IKG82CMqh3Mzptd7e7lyb9lsoGO0BAtjho3cWtha/UZ70vfaMzGuZ6JmQ ak6k+8+UFd93M4z0Qo74OhXB -----END PRIVATE KEY-----` const privateKey = await jose.importPKCS8(pkcs8, alg) const jwt = await new jose.SignJWT({ 'urn:example:claim': true }) .setProtectedHeader({ alg }) .setIssuedAt() .setIssuer('urn:example:issuer') .setAudience('urn:example:audience') .setExpirationTime('2h') .sign(privateKey) console.log(jwt) ``` Usage with a private JWK encoded RSA key ```js const alg = 'RS256' const jwk = { kty: 'RSA', n: 'whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4HHHsrYCf2-FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS_Yv4hRvWfQPcc2Gc3-_fQOOW57zVy-rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj-KgDPjymkMGoJlO3aKppsjfbt_AH6GGdRghYRLOUwQU-h-ofWHR3lbYiKtXPn5dN24kiHy61e3VAQ9_YAZlwXC_99GGtw_NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZASw', e: 'AQAB', d: 'VuVE_KEP6323WjpbBdAIv7HGahGrgGANvbxZsIhm34lsVOPK0XDegZkhAybMZHjRhp-gwVxX5ChC-J3cUpOBH5FNxElgW6HizD2Jcq6t6LoLYgPSrfEHm71iHg8JsgrqfUnGYFzMJmv88C6WdCtpgG_qJV1K00_Ly1G1QKoBffEs-v4fAMJrCbUdCz1qWto-PU-HLMEo-krfEpGgcmtZeRlDADh8cETMQlgQfQX2VWq_aAP4a1SXmo-j0cvRU4W5Fj0RVwNesIpetX2ZFz4p_JmB5sWFEj_fC7h5z2lq-6Bme2T3BHtXkIxoBW0_pYVnASC8P2puO5FnVxDmWuHDYQ', p: '07rgXd_tLUhVRF_g1OaqRZh5uZ8hiLWUSU0vu9coOaQcatSqjQlIwLW8UdKv_38GrmpIfgcEVQjzq6rFBowUm9zWBO9Eq6enpasYJBOeD8EMeDK-nsST57HjPVOCvoVC5ZX-cozPXna3iRNZ1TVYBY3smn0IaxysIK-zxESf4pM', q: '6qrE9TPhCS5iNR7QrKThunLu6t4H_8CkYRPLbvOIt2MgZyPLiZCsvdkTVSOX76QQEXt7Y0nTNua69q3K3Jhf-YOkPSJsWTxgrfOnjoDvRKzbW3OExIMm7D99fVBODuNWinjYgUwGSqGAsb_3TKhtI-Gr5ls3fn6B6oEjVL0dpmk', dp: 'mHqjrFdgelT2OyiFRS3dAAPf3cLxJoAGC4gP0UoQyPocEP-Y17sQ7t-ygIanguubBy65iDFLeGXa_g0cmSt2iAzRAHrDzI8P1-pQl2KdWSEg9ssspjBRh_F_AiJLLSPRWn_b3-jySkhawtfxwO8Kte1QsK1My765Y0zFvJnjPws', dq: 'KmjaV4YcsVAUp4z-IXVa5htHWmLuByaFjpXJOjABEUN0467wZdgjn9vPRp-8Ia8AyGgMkJES_uUL_PDDrMJM9gb4c6P4-NeUkVtreLGMjFjA-_IQmIMrUZ7XywHsWXx0c2oLlrJqoKo3W-hZhR0bPFTYgDUT_mRWjk7wV6wl46E', qi: 'iYltkV_4PmQDfZfGFpzn2UtYEKyhy-9t3Vy8Mw2VHLAADKGwJvVK5ficQAr2atIF1-agXY2bd6KV-w52zR8rmZfTr0gobzYIyqHczOm13t7uXJv2WygY7QEC2OGjdxa2Fr9RnvS99ozMa5nomZBqTqT7z5QV33czjPRCjvg6FcE', } const privateKey = await jose.importJWK(jwk, alg) const jwt = await new jose.SignJWT({ 'urn:example:claim': true }) .setProtectedHeader({ alg }) .setIssuedAt() .setIssuer('urn:example:issuer') .setAudience('urn:example:audience') .setExpirationTime('2h') .sign(privateKey) console.log(jwt) ``` ## Constructors ### Constructor ▸ **new SignJWT**(`payload?`): `SignJWT` SignJWT constructor #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `payload` | [`JWTPayload`](../../../types/interfaces/JWTPayload.md) | The JWT Claims Set object. Defaults to an empty object. | #### Returns `SignJWT` ## Methods ### setAudience() ▸ **setAudience**(`audience`): `this` Set the "aud" (Audience) Claim. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `audience` | `string` \| `string`[] | "aud" (Audience) Claim value to set on the JWT Claims Set. | #### Returns `this` *** ### setExpirationTime() ▸ **setExpirationTime**(`input`): `this` Set the "exp" (Expiration Time) Claim. - If a `number` is passed as an argument it is used as the claim directly. - If a `Date` instance is passed as an argument it is converted to unix timestamp and used as the claim. - If a `string` is passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim. Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day". Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year. If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `input` | `string` \| `number` \| [`Date`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date) | "exp" (Expiration Time) Claim value to set on the JWT Claims Set. | #### Returns `this` *** ### setIssuedAt() ▸ **setIssuedAt**(`input?`): `this` Set the "iat" (Issued At) Claim. - If no argument is used the current unix timestamp is used as the claim. - If a `number` is passed as an argument it is used as the claim directly. - If a `Date` instance is passed as an argument it is converted to unix timestamp and used as the claim. - If a `string` is passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim. Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day". Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year. If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `input?` | `string` \| `number` \| [`Date`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date) | "iat" (Expiration Time) Claim value to set on the JWT Claims Set. | #### Returns `this` *** ### setIssuer() ▸ **setIssuer**(`issuer`): `this` Set the "iss" (Issuer) Claim. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `issuer` | `string` | "Issuer" Claim value to set on the JWT Claims Set. | #### Returns `this` *** ### setJti() ▸ **setJti**(`jwtId`): `this` Set the "jti" (JWT ID) Claim. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `jwtId` | `string` | "jti" (JWT ID) Claim value to set on the JWT Claims Set. | #### Returns `this` *** ### setNotBefore() ▸ **setNotBefore**(`input`): `this` Set the "nbf" (Not Before) Claim. - If a `number` is passed as an argument it is used as the claim directly. - If a `Date` instance is passed as an argument it is converted to unix timestamp and used as the claim. - If a `string` is passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim. Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day". Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year. If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `input` | `string` \| `number` \| [`Date`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date) | "nbf" (Not Before) Claim value to set on the JWT Claims Set. | #### Returns `this` *** ### setProtectedHeader() ▸ **setProtectedHeader**(`protectedHeader`): `this` Sets the JWS Protected Header on the SignJWT object. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `protectedHeader` | [`JWTHeaderParameters`](../../../types/interfaces/JWTHeaderParameters.md) | JWS Protected Header. Must contain an "alg" (JWS Algorithm) property. | #### Returns `this` *** ### setSubject() ▸ **setSubject**(`subject`): `this` Set the "sub" (Subject) Claim. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `subject` | `string` | "sub" (Subject) Claim value to set on the JWT Claims Set. | #### Returns `this` *** ### sign() ▸ **sign**(`key`, `options?`): [`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<`string`\> Signs and returns the JWT. #### Parameters | Parameter | Type | Description | | ------ | ------ | ------ | | `key` | [`Uint8Array`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array) \| [`CryptoKey`](https://developer.mozilla.org/docs/Web/API/CryptoKey) \| [`JWK`](../../../types/interfaces/JWK.md) \| [`KeyObject`](../../../types/interfaces/KeyObject.md) | Private Key or Secret to sign the JWT with. See [Algorithm Key Requirements](https://github.com/panva/jose/issues/210#jws-alg). | | `options?` | [`SignOptions`](../../../types/interfaces/SignOptions.md) | JWT Sign options. | #### Returns [`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<`string`\>