JWT Server

Server-side JWT validation. Plug TsgcHTTP_JWT_Server into a TsgcWebSocketHTTPServer to verify Authorization Bearer tokens before dispatching requests.

At a glance

TsgcHTTP_JWT_Server

Verifies inbound JWTs against your signing keys (HMAC, RSA, ECDSA, EdDSA), checks exp/nbf/aud/iss claims and rejects mismatched tokens with a typed event for the application layer.

Component class

TsgcHTTP_JWT_Server

Protocol

RFC 7519 (JWT)

Platforms

Windows, macOS, Linux, iOS, Android

Edition

Enterprise

QuickStart

Drop, attach to server, verify on every request

Drop a TsgcHTTP_JWT_Server, configure the verifying keys (or a JWKS URL) and attach to TsgcWebSocketHTTPServer.JWT — all incoming requests are validated automatically.

uses
  sgcWebSocket, sgcHTTP;

var
  Server: TsgcWebSocketHTTPServer;
  JWT: TsgcHTTP_JWT_Server;
begin
  JWT := TsgcHTTP_JWT_Server.Create(nil);
  JWT.JWTOptions.Algorithms.HS.Secret := 'shared-secret';
  JWT.JWTOptions.Verify.Issuer   := 'auth.example.com';
  JWT.JWTOptions.Verify.Audience := 'api.example.com';

  Server := TsgcWebSocketHTTPServer.Create(nil);
  Server.Port := 8443;
  Server.SSL  := True;
  Server.Authentication.JWT.Enabled := True;
  Server.Authentication.JWT.Server  := JWT;

  Server.Active := True;
end;
// uses: sgcWebSocket, sgcHTTP
TsgcHTTP_JWT_Server *JWT = new TsgcHTTP_JWT_Server(this);
JWT->JWTOptions->Algorithms->HS->Secret = "shared-secret";

TsgcWebSocketHTTPServer *Server = new TsgcWebSocketHTTPServer(this);
Server->Authentication->JWT->Enabled = true;
Server->Authentication->JWT->Server  = JWT;
Server->Active = true;
Technical features

What's inside

Server-side JWT verifier that integrates directly with TsgcWebSocketHTTPServer and TsgcWebSocketServer authentication.

Multi-algorithm verify

Supports HS256/384/512, RS256/384/512, ES256/384/512, PS256/384/512 and EdDSA. Multiple keys (kid-indexed) can be loaded for key rotation.

Standard claim checks

Verify.Issuer, Verify.Audience, Verify.Subject, Verify.NotBefore, Verify.ExpirationTime are all enforced against the inbound payload by default.

JWKS endpoint

Point JWTOptions.JWKS.URL at an issuer JWKS endpoint — the component fetches the public keys, caches them and rotates per the JWK kid in each token header.

On-failure event

OnAuthError exposes the rejection reason (signature mismatch, expired, audience mismatch); your app decides whether to 401 or fall back.

WebSocket hooks

Works for TsgcWebSocketServer too — the WebSocket upgrade carries the Authorization header, the JWT server verifies before OnConnect fires.

JWE support

Encrypted JWE tokens are decoded and verified inline using the configured private key (RSA-OAEP, ECDH-ES key wrap; AES-CBC / AES-GCM content encryption).

Standards

Specifications & references

Authoritative sources for the standards this component implements.

Resources

Documentation & Demos

Deep-link to the component reference, grab the ready-to-run demo project, and download the trial.

Online Help — TsgcHTTP_JWT_Server Full property, method and event reference for this component. Open
Demo Project — Demos\20.HTTP_Protocol\05.JWT Ready-to-run example project. Ships inside the sgcWebSockets package — download the trial below. Open
Technical Document (PDF) Features, quick start, code samples for Delphi & C++ Builder and primary-source references — this component only. Open
User Manual (PDF) Comprehensive manual covering every component in the library. Open

Ready to Verify JWTs Server-side?

Download the free trial and add JWT validation to your Delphi servers.

Download Free Trial View Pricing