ruby 22 lines · 2 tabs

JWT issuance and verification without common footguns

Kai Nakamura Apr 2026
2 tabs
payload = {
  sub: user.id,
  iss: 'https://auth.example.com',
  aud: 'codesnips-api',
  exp: 15.minutes.from_now.to_i,
  iat: Time.now.to_i,
  jti: SecureRandom.uuid,
}

token = JWT.encode(payload, OpenSSL::PKey::RSA.new(ENV.fetch('JWT_PRIVATE_KEY')), 'RS256')
2 files · ruby Explain with highlit

JWTs are easy to misuse because libraries make them look simpler than they are. I pin the algorithm, validate issuer and audience, keep expirations short, and rotate signing keys deliberately. I also avoid putting sensitive business data into tokens just because it is convenient.

Share this code

Here's the card — post it anywhere.

JWT issuance and verification without common footguns — share card
Link copied