sd_jwt
| Crates.io | sd_jwt |
| lib.rs | sd_jwt |
| version | 0.1.0 |
| created_at | 2022-06-23 13:41:51.880466+00 |
| updated_at | 2025-12-17 15:03:08.120557+00 |
| description | An implementation of SD-JWT |
| homepage | https://github.com/kushaldas/sd_jwt |
| repository | https://github.com/kushaldas/sd_jwt |
| max_upload_size | |
| id | 611889 |
| size | 172,685 |
Kushal Das (kushaldas)
documentation
README
sd_jwt
A Rust implementation of RFC 9901 - Selective Disclosure for JSON Web Tokens (SD-JWT).
SD-JWT allows an issuer to create a JWT where some claims can be selectively disclosed by the holder. This enables privacy-preserving use cases where only necessary information is revealed to verifiers.
Features
- RFC 9901 compliant - Full implementation of the SD-JWT specification
- Selective disclosure - Mark specific claims as selectively disclosable
- Array element disclosure - Support for disclosing individual array elements
- Decoy digests - Add decoy digests for enhanced privacy
- Key binding - Support for holder key binding with KB-JWT
- Multiple hash algorithms - SHA-256, SHA-384, SHA-512
Quick Start
use sd_jwt::{
issuer::issue_sd_jwt,
holder::HolderSdJwt,
verifier::verify_sd_jwt,
types::SdJwtConfig,
};
use serde_json::json;
// Issuer creates an SD-JWT
let claims = json!({
"sub": "user123",
"given_name": "John",
"family_name": "Doe",
"email": "john@example.com"
});
let issued = issue_sd_jwt(
&issuer_private_key,
"https://issuer.example.com",
claims,
&["given_name", "family_name", "email"], // Selectively disclosable
&SdJwtConfig::default(),
None,
None,
).unwrap();
// Holder creates a presentation (disclosing only given_name)
let holder_jwt = HolderSdJwt::parse(&issued.serialized).unwrap();
let presentation = holder_jwt.create_presentation(&["given_name"]).unwrap();
// Verifier verifies the presentation
let verified = verify_sd_jwt(
&presentation.serialize(),
&issuer_public_key,
"https://issuer.example.com",
).unwrap();
// Only "given_name" is disclosed, other SD claims are hidden
assert_eq!(verified.get("given_name").unwrap(), "John");
assert!(verified.get("email").is_none());
SD-JWT Format
Per RFC 9901, the SD-JWT format uses ~ as the separator:
<Issuer-signed JWT>~<Disclosure 1>~<Disclosure 2>~...~<Disclosure N>~
With Key Binding:
<Issuer-signed JWT>~<Disclosure 1>~...~<Disclosure N>~<KB-JWT>
Modules
issuer- Functions for creating SD-JWTsholder- Functions for creating presentations with selected disclosuresverifier- Functions for verifying SD-JWT presentationsdisclosure- Disclosure data structure and utilitiestypes- Core types (SdJwt, SdJwtKb, configuration, etc.)
Examples
See the examples/ directory for complete examples:
cargo run --example rfc9901_example
Legacy API
The library also includes the legacy API from the draft-02 implementation for backward compatibility. New code should use the RFC 9901 compliant API.
License
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.