Skip to content
Easily scaffold a keychain using JWT for Vapor
Branch: master
Clone or download
Latest commit 23a54a6 Aug 1, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.

JWT Keychain

Swift Version Vapor Version Vapor Version Circle CI codebeat badge codecov Readme Score GitHub license

Add a complete and customizable user authentication system for your API project.

Demo project

📦 Installation

Update your Package.swift file.

.package(url: "", upToMajorVersion: "2.0.0")
targets: [
        name: "App",
        dependencies: [

Getting started 🚀



Copy package resources:

Move the content of JWTKeychain/Resources/Views into the Resources/Views folder of your project. Unfortunately there's no convenient to this at the moment, but one option is to download this repo as a zip and then move the folders into the root of your project. Remember to check that you're not overwriting any files in your project.

See to learn more about signing.


import JWTKeychain

Token Generator Command

In order to generate password reset tokens for users add the following to droplet.json's commands: "keychain:generate_token". Then you can create a token like so:

drop --run keychain:generate_token


There are three types of tokens used by JWTKeychain: refresh tokens, API access tokens, and password reset tokens.

Both refresh and access tokens should be included in the Authorization header for each request they are needed for, as follows: Authorization: Bearer TOKEN (where TOKEN is replaced with the actual token string).

Refresh Tokens

Usage of this type of token is optional but recommended for extra security. You can opt-out of using refresh tokens by omitting the value for refreshToken in jwt-keychain.json.

Refresh tokens are tokens with a long expiration time that can be used to generate the more short-lived access tokens that are needed for API access.

Refresh tokens are returned when logging in and when signing up* as a string under the key: refreshToken. They can only be used to create new access tokens at the /users/regenerate endpoint.

When a refresh token expires a new one can be generated by logging in using the user's credentials.

* Besides the refresh token, an access token and the user object are also returned as a convenience to the client developer.

API Access Tokens

API Access tokens give access to the following endpoints:

  • GET /users/me
  • GET /users/logout
  • PATCH /users/update

TODO: add other routes

Whenever an access token is expired a new one can be generated using a request to /users/regenerate.

Password Reset Tokens

TODO: explain



API Requests


Frontend Requests


Supply Additional Middleware


🏆 Credits

This package is developed and maintained by the Vapor team at Nodes. The package owner for this project is Siemen.

📄 License

This package is open-sourced software licensed under the MIT license

You can’t perform that action at this time.