Threshold Access Control (TACo)
  • TACo (Threshold Access Control)
    • How TACo works
    • Value Propositions
  • Use cases
    • Seed phrase recovery & transfer
    • Digital Rights Management for on-chain assets
    • Trustless channels for journalists, archivists & whistleblowers
    • Crowdsourcing real-world data with trustless contribution
  • Quickstart (Testnet)
  • Integrate TACo into apps
    • Testnets
    • Mainnet Access
    • Mainnet Deployment
  • Ecosystem Integrations
    • OrbisDB
    • Waku
    • Irys
    • ComposeDB
    • Turbo
  • Encrypt & Decrypt API
  • Authentication
    • Condition Context
  • Access Control
    • TimeCondition
    • RpcCondition
    • ContractCondition
      • Use custom contract calls
      • Implement access revocation via smart contract
    • JSON Endpoint Conditions
      • JsonApiCondition
      • JsonRpcCondition
    • JWT Conditions
    • Logical Conditions
      • CompoundCondition
      • IfThenElseCondition
      • SequentialCondition
    • WIP / Feature Requests
      • Any (Major) EVM Chain Condition Support
  • Fees & Allowlists
    • Mainnet Fees
    • Encryptor Allowlist
  • Trust Assumptions
    • Mainnet Trust Disclosure (Provider Answers)
    • Mainnet Trust Model Foundation
    • Trust levers & parameter packages
  • Architecture
    • Porter
    • Contract Addresses
  • Extensions
  • API References
  • NODE OPERATOR
    • Duties, Compensation & Penalties
    • Minimum System Requirements
    • Stake Authorization
    • Run a TACo Node with Docker
    • TACo Node Management
    • TACo Node Recovery
    • Run a Porter Instance
Powered by GitBook
On this page
  • Centralization Considerations
  • Properties
  • Error Handling
  • Example
  • Development References
  1. Access Control

JWT Conditions

PreviousJsonRpcConditionNextLogical Conditions

Last updated 1 month ago

The JWTCondition validates against a specified public key. It supports standard JWT claims like expiration time and "not before" time. This condition type enables integration with existing Web2 authentication and authorization services.

The JWT standard's flexibility allows for various use cases, including:

  • DRM frameworks and platforms

  • Content distribution

  • Identity management

  • Access-controlled agentic workflows

Centralization Considerations

In Web2 environments, JWT issuers are typically trusted central authorities. The presence of centralized issuance of JWTs does not impact the decentralized verification of those JWTs by the TACo network, but it does have trust implications for the system as a whole. Conversely, in Web3 settings, TACo is fully compatible with decentralized JWT issuers – for example, those that leverage threshold digital signatures like threshold ECDSA. From a verification perspective, TACo remains agnostic to the token issuing environment or entity.

Properties

  • jwtToken: The JWT context variable to be instantiated during decryption with a JWT and validated.

  • publicKey: A string containing the digital signature public key in PEM format

  • expectedIssuer (Optional): A string representing the JWT issuer. If provided, it must match the token's

Error Handling

The condition will fail and access will be denied in the following cases:

  • If the JWT is malformed or cannot be parsed

  • If the JWT's signature cannot be verified with the provided public key

  • If any required claims specified in the condition are missing from the JWT

Example

import { conditions } from '@nucypher/taco';

const jwtCondition = new conditions.base.jwt.JWTCondition({
  jwtToken: ":authToken", // Context variable for the JWT token
  publicKey: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...", // Public key in PEM format
  expectedIssuer: "https://some-jwt-issuer.com", // Optional issuer validation
});

// The condition would be satisfied if the JWT token:
// 1. Has a valid signature verifiable with the provided public key
// 2. Has not expired (if exp claim is present in the JWT)
// 3. Is currently valid (if nbf claim is present in the JWT)
// 4. Was issued by "https://some-jwt-issuer.com" (since expectedIssuer was specified in the condition)

Development References

  • Client-side:

  • Server-side:

If the JWT has expired (when is present)

If the JWT is not yet valid (when is present)

If the expectedIssuer is provided but doesn't match the JWT's

JSON Web Tokens (JWTs)
issuer claim
exp (Expiration Time) claim
nbf (Not Before) claim
iss (Issuer) claim
https://github.com/nucypher/taco-web/pull/604
https://github.com/nucypher/nucypher/pull/3570