Decodes a private JWK into a signing key.

Only decode private keys from trusted storage. Unknown JWK fields are ignored; key_ops and use are not enforced. HMAC and RSA signing JWKs must include alg; EC signing JWKs may omit alg when the curve determines it. For raw JSON strings, prefer parse_jwk so duplicate member handling is consistent on all targets.

json.parse(private_jwk, sign_key.decoder())

Creates an HMAC-SHA256 signing key.

The secret must be at least 256 bits. HMAC keys are symmetric, so every verifier that receives this key can also sign tokens. The length check does not prove the bytes are random; use ywt.generate_key or a CSPRNG.

let assert Ok(key) = sign_key.hs256(secret_32_bytes)

Creates an HMAC-SHA384 signing key.

The secret must be at least 384 bits. HMAC keys are symmetric, so every verifier that receives this key can also sign tokens. The length check does not prove the bytes are random; use ywt.generate_key or a CSPRNG.

let assert Ok(key) = sign_key.hs384(secret_48_bytes)

Creates an HMAC-SHA512 signing key.

The secret must be at least 512 bits. HMAC keys are symmetric, so every verifier that receives this key can also sign tokens. The length check does not prove the bytes are random; use ywt.generate_key or a CSPRNG.

let assert Ok(key) = sign_key.hs512(secret_64_bytes)

Returns the key id, if one is set.

sign_key.id(key)

Parses a private JWK into a signing key.

Duplicate JSON object members are handled consistently on all targets: the lexically last member value is used, matching JavaScript’s JSON.parse.

sign_key.parse_jwk(private_jwk)

Assigns a random key id to a signing key.

The id is written to JWT headers as kid, letting verifiers choose the right key during rotation.

let key = sign_key.with_random_id(key)