Question 1

How do I integrate Crystal JWT with the Kemal web framework?

Accepted Answer

Use Crystal JWT manually in Kemal routes by encoding tokens in login handlers and decoding in middleware for authentication. The library doesn't include pre-built Kemal middleware, so you'll need to implement token extraction and validation logic yourself, following Kemal's handler patterns.

Question 2

Crystal JWT vs implementing JWT from scratch: which is better?

Accepted Answer

Crystal JWT is far superior for most cases as it provides RFC-compliant algorithms, claim validation, and error handling out-of-the-box, saving development time and reducing security risks. Rolling your own implementation is error-prone and not recommended unless you have specific, non-standard requirements.

Question 3

How to handle token refresh with Crystal JWT?

Accepted Answer

Implement a refresh system separately by issuing new tokens with updated exp claims when validating old ones. Crystal JWT automatically checks expiration via the exp claim, but refresh logic—like storing refresh tokens—must be managed in your application code outside the library.

Question 4

Best practices for storing secret keys in Crystal JWT?

Accepted Answer

Store keys securely using environment variables or secret management services, avoiding hardcoded values. For HMAC, use strong, random secrets; for RSA/ECDSA, protect private keys and expose only public keys for verification. The library doesn't enforce storage, so follow security guidelines to prevent leaks.

Question 5

Does Crystal JWT support OpenID Connect?

Accepted Answer

No, Crystal JWT only handles JWT token creation and validation as per RFC 7519. For OpenID Connect, you'll need additional libraries or custom code to manage protocols like discovery and user info endpoints, though you can use Crystal JWT to validate JWTs issued by OpenID Connect providers.

Question 6

How to decode a JWT without checking the signature in Crystal JWT?

Accepted Answer

Use the decode method with the verify: false parameter, as shown in the README example. This allows you to inspect the payload and header for debugging or logging purposes, but avoid this in production for security reasons.

jwt

What is jwt?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions