Swiftpack.co - Package - nodes-vapor/jwt-keychain

JWT Keychain ⛓

Swift Version Vapor Version Vapor Version Circle CI codebeat badge codecov Readme Score GitHub license

Add a complete and customizable user authentication system for your API project.

Demo project


📦 Installation

Update your Package.swift file.

.package(url: "https://github.com/nodes-vapor/jwt-keychain.git", upToMajorVersion: "2.0.0")
targets: [
        name: "App",
        dependencies: [

Getting started 🚀



Copy package resources:

Move the content of JWTKeychain/Resources/Views into the Resources/Views folder of your project. Unfortunately there's no convenient to this at the moment, but one option is to download this repo as a zip and then move the folders into the root of your project. Remember to check that you're not overwriting any files in your project.

See https://github.com/vapor/jwt to learn more about signing.


import JWTKeychain

Token Generator Command

In order to generate password reset tokens for users add the following to droplet.json's commands: "keychain:generate_token". Then you can create a token like so:

drop --run keychain:generate_token user@email.com


There are three types of tokens used by JWTKeychain: refresh tokens, API access tokens, and password reset tokens.

Both refresh and access tokens should be included in the Authorization header for each request they are needed for, as follows: Authorization: Bearer TOKEN (where TOKEN is replaced with the actual token string).

Refresh Tokens

Usage of this type of token is optional but recommended for extra security. You can opt-out of using refresh tokens by omitting the value for refreshToken in jwt-keychain.json.

Refresh tokens are tokens with a long expiration time that can be used to generate the more short-lived access tokens that are needed for API access.

Refresh tokens are returned when logging in and when signing up* as a string under the key: refreshToken. They can only be used to create new access tokens at the /users/regenerate endpoint.

When a refresh token expires a new one can be generated by logging in using the user's credentials.

* Besides the refresh token, an access token and the user object are also returned as a convenience to the client developer.

API Access Tokens

API Access tokens give access to the following endpoints:

  • GET /users/me
  • GET /users/logout
  • PATCH /users/update

TODO: add other routes

Whenever an access token is expired a new one can be generated using a request to /users/regenerate.

Password Reset Tokens

TODO: explain



API Requests


Frontend Requests


Supply Additional Middleware


🏆 Credits

This package is developed and maintained by the Vapor team at Nodes. The package owner for this project is Siemen.

📄 License

This package is open-sourced software licensed under the MIT license


Stars: 29
Help us keep the lights on


1.0.0-rc.2 - Mar 8, 2019


  • JWTKeychainUsers are now Models


  • The create and update routes now save the user

1.0.0-rc.1 - Mar 6, 2019


  • depends on Sugar 4.0.0 RC
  • JWTKeychainProvider now accepts a config factory to allow for thread safe middleware and signers

1.0.0-beta.3 - Jan 24, 2019


  • made JWTKeychainMiddlewares generic over the user type making it possible to use JWTKeychain with multiple types of user.

1.0.0-beta.2 - Nov 30, 2018


  • Aligned with community guidelines on how to register routes

0.16.1 - Nov 23, 2018


  • Opened up PasswordVersionClaim, e.g. if one wants to subclass the FrontendUserController.