2015-06-20 09:32



I'm trying out JWT (JSON Web Tokens) in a Go web service. Here's what I've done so far:

package jwt


var privateKey []byte
var publicKey []byte 

func JSONWebTokensHandler(w http.ResponseWriter, r * http.Request){

    // Create the token
    encodeToken := jwt.New(jwt.SigningMethodHS256)
    // Set some claims
    encodeToken.Claims["Latitude"] = "25.000"
    encodeToken.Claims["Longitude"] = "27.000"
    // Sign and get the complete encoded token as a string
    tokenString, err := encodeToken.SignedString(privateKey)

    decodeToken, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {

        if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
            return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])

        return publicKey,nil

    if decodeToken.Valid {

        fmt.Fprintf(w,"Lat:  %s, Lng: %s",decodeToken.Claims["Latitude"],decodeToken.Claims["Longitude"])

    }  else {

        fmt.Fprintf(w,"Couldn't handle this token: %s", err)



func init(){

    privateKey,_ = ioutil.ReadFile("demo.rsa")
    publicKey,_ = ioutil.ReadFile("demo.rsa.pub")

    r := mux.NewRouter()
    http.Handle("/", r)


Now if my understanding is correct, A token that is encoded using a private key can be decoded using the public key. That is what I've presumed in the code above however when I run the code I get the error:

Couldn't handle this token: signature is invalid

If I use the same key for encoding and decoding, then the code works.

What I'd like to know is, is there something wrong with my understanding or in the code?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • drjyvoi734793 drjyvoi734793 6年前

    The JWT isn't signed using an asymmetric cipher like RSA. It uses a HMAC, which uses a single, secret key. Indeed, the point here is not to prove to someone else that you signed the token. It's to prove to yourself that you signed it, and thus forbid anyone who doesn't have your secret key to modify the token.

    点赞 评论 复制链接分享
  • dongyi7041 dongyi7041 3年前

    Very interesting, since I have a similar problem, when I have micro service and a client app that need to verify the token that comes from another internal server, so if you advice using HMAC over RSA them that means that I need to put the private key in both micro service and Client App? that wouldn't be a serious security hole?

    点赞 评论 复制链接分享
  • dragon0118 dragon0118 6年前

    You are using jwt.SigningMethodHMAC. Therefore, you are signing using HMAC, the signature is the token ciphered by a symmetric key (secret).

    You shall use: jwt.New(jwt.SigningMethodRS256) to sign with an asymmetric key-pair.

    点赞 评论 复制链接分享