JWT

Author: pblazej

Package.swift

@@ -23,10 +23,9 @@ let package = Package(
         .package(url: "https://github.com/apple/swift-protobuf.git", from: "1.29.0"),
         .package(url: "https://github.com/apple/swift-log.git", from: "1.6.2"),
         .package(url: "https://github.com/apple/swift-collections.git", from: "1.1.0"),
+        .package(url: "https://github.com/vapor/jwt-kit.git", from: "4.13.5"),
         // Only used for DocC generation
         .package(url: "https://github.com/apple/swift-docc-plugin.git", from: "1.3.0"),
-        // Only used for Testing
-        .package(url: "https://github.com/vapor/jwt-kit.git", from: "4.13.4"),
     ],
     targets: [
         .target(
@@ -41,6 +40,7 @@ let package = Package(
                 .product(name: "DequeModule", package: "swift-collections"),
                 .product(name: "OrderedCollections", package: "swift-collections"),
                 .product(name: "Logging", package: "swift-log"),
+                .product(name: "JWTKit", package: "jwt-kit"),
                 "LKObjCHelpers",
             ],
             exclude: [
@@ -57,14 +57,12 @@ let package = Package(
             name: "LiveKitTests",
             dependencies: [
                 "LiveKit",
-                .product(name: "JWTKit", package: "jwt-kit"),
             ]
         ),
         .testTarget(
             name: "LiveKitTestsObjC",
             dependencies: [
                 "LiveKit",
-                .product(name: "JWTKit", package: "jwt-kit"),
             ]
         ),
     ],

Package@swift-6.0.swift

@@ -24,10 +24,9 @@ let package = Package(
         .package(url: "https://github.com/apple/swift-protobuf.git", from: "1.29.0"),
         .package(url: "https://github.com/apple/swift-log.git", from: "1.6.2"),
         .package(url: "https://github.com/apple/swift-collections.git", from: "1.1.0"),
+        .package(url: "https://github.com/vapor/jwt-kit.git", from: "4.13.5"),
         // Only used for DocC generation
         .package(url: "https://github.com/apple/swift-docc-plugin.git", from: "1.3.0"),
-        // Only used for Testing
-        .package(url: "https://github.com/vapor/jwt-kit.git", from: "4.13.4"),
     ],
     targets: [
         .target(
@@ -42,6 +41,7 @@ let package = Package(
                 .product(name: "DequeModule", package: "swift-collections"),
                 .product(name: "OrderedCollections", package: "swift-collections"),
                 .product(name: "Logging", package: "swift-log"),
+                .product(name: "JWTKit", package: "jwt-kit"),
                 "LKObjCHelpers",
             ],
             exclude: [
@@ -58,14 +58,12 @@ let package = Package(
             name: "LiveKitTests",
             dependencies: [
                 "LiveKit",
-                .product(name: "JWTKit", package: "jwt-kit"),
             ]
         ),
         .testTarget(
             name: "LiveKitTestsObjC",
             dependencies: [
                 "LiveKit",
-                .product(name: "JWTKit", package: "jwt-kit"),
             ]
         ),
     ],

Sources/LiveKit/Auth/JWT.swift

@@ -0,0 +1,99 @@
+/*
+ * Copyright 2025 LiveKit
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import JWTKit
+
+public struct LiveKitJWTPayload: JWTPayload, Codable, Equatable {
+    public struct VideoGrant: Codable, Equatable {
+        /// Name of the room, must be set for admin or join permissions
+        public let room: String?
+        /// Permission to create a room
+        public let roomCreate: Bool?
+        /// Permission to join a room as a participant, room must be set
+        public let roomJoin: Bool?
+        /// Permission to list rooms
+        public let roomList: Bool?
+        /// Permission to start a recording
+        public let roomRecord: Bool?
+        /// Permission to control a specific room, room must be set
+        public let roomAdmin: Bool?
+
+        /// Allow participant to publish. If neither canPublish or canSubscribe is set, both publish and subscribe are enabled
+        public let canPublish: Bool?
+        /// Allow participant to subscribe to other tracks
+        public let canSubscribe: Bool?
+        /// Allow participants to publish data, defaults to true if not set
+        public let canPublishData: Bool?
+        /// Allowed sources for publishing
+        public let canPublishSources: [String]?
+        /// Participant isn't visible to others
+        public let hidden: Bool?
+        /// Participant is recording the room, when set, allows room to indicate it's being recorded
+        public let recorder: Bool?
+
+        public init(room: String? = nil,
+                    roomCreate: Bool? = nil,
+                    roomJoin: Bool? = nil,
+                    roomList: Bool? = nil,
+                    roomRecord: Bool? = nil,
+                    roomAdmin: Bool? = nil,
+                    canPublish: Bool? = nil,
+                    canSubscribe: Bool? = nil,
+                    canPublishData: Bool? = nil,
+                    canPublishSources: [String]? = nil,
+                    hidden: Bool? = nil,
+                    recorder: Bool? = nil)
+        {
+            self.room = room
+            self.roomCreate = roomCreate
+            self.roomJoin = roomJoin
+            self.roomList = roomList
+            self.roomRecord = roomRecord
+            self.roomAdmin = roomAdmin
+            self.canPublish = canPublish
+            self.canSubscribe = canSubscribe
+            self.canPublishData = canPublishData
+            self.canPublishSources = canPublishSources
+            self.hidden = hidden
+            self.recorder = recorder
+        }
+    }
+
+    /// Expiration time claim
+    public let exp: ExpirationClaim
+    /// Issuer claim
+    public let iss: IssuerClaim
+    /// Not before claim
+    public let nbf: NotBeforeClaim
+    /// Subject claim
+    public let sub: SubjectClaim
+
+    /// Participant name
+    public let name: String?
+    /// Participant metadata
+    public let metadata: String?
+    /// Video grants for the participant
+    public let video: VideoGrant?
+
+    public func verify(using _: JWTSigner) throws {
+        try nbf.verifyNotBefore()
+        try exp.verifyNotExpired()
+    }
+
+    static func fromUnverified(token: String) -> Self? {
+        try? JWTSigners().unverified(token, as: Self.self)
+    }
+}

Sources/LiveKit/Auth/TokenSource.swift

@@ -249,39 +249,23 @@ public extension Token.Response {
     /// - Parameter tolerance: Time tolerance in seconds for token expiration check (default: 60 seconds)
     /// - Returns: `true` if the token is valid and not expired, `false` otherwise
     func hasValidToken(withTolerance tolerance: TimeInterval = 60) -> Bool {
-        let parts = participantToken.components(separatedBy: ".")
-        guard parts.count == 3 else {
+        guard let jwt = jwt() else {
             return false
         }
 
-        let payloadData = parts[1]
-
-        struct JWTPayload: Decodable {
-            let nbf: Double
-            let exp: Double
-        }
-
-        guard let payloadJSON = payloadData.base64Decode(),
-              let payload = try? JSONDecoder().decode(JWTPayload.self, from: payloadJSON)
-        else {
+        do {
+            try jwt.nbf.verifyNotBefore()
+            try jwt.exp.verifyNotExpired(currentDate: Date().addingTimeInterval(tolerance))
+        } catch {
             return false
         }
 
-        let now = Date().timeIntervalSince1970
-        return payload.nbf <= now && payload.exp > now - tolerance
+        return true
     }
-}
-
-private extension String {
-    func base64Decode() -> Data? {
-        var base64 = self
-        base64 = base64.replacingOccurrences(of: "-", with: "+")
-        base64 = base64.replacingOccurrences(of: "_", with: "/")
-
-        while base64.count % 4 != 0 {
-            base64.append("=")
-        }
 
-        return Data(base64Encoded: base64)
+    /// Extracts the JWT payload from the participant token.
+    /// - Returns: The JWT payload if found, nil otherwise
+    func jwt() -> LiveKitJWTPayload? {
+        LiveKitJWTPayload.fromUnverified(token: participantToken)
     }
 }

Tests/LiveKitTests/Auth/TokenSourceTests.swift

@@ -37,7 +37,7 @@ class TokenSourceTests: LKTestCase {
                 identity: request.participantIdentity ?? "test-identity"
             )
             tokenGenerator.name = request.participantName ?? participantName
-            tokenGenerator.videoGrant = VideoGrant(room: request.roomName ?? "test-room", roomJoin: true)
+            tokenGenerator.videoGrant = LiveKitJWTPayload.VideoGrant(room: request.roomName ?? "test-room", roomJoin: true)
 
             let token = try tokenGenerator.sign()
 
@@ -76,7 +76,7 @@ class TokenSourceTests: LKTestCase {
                 ttl: -60
             )
             tokenGenerator.name = request.participantName ?? "test-participant"
-            tokenGenerator.videoGrant = VideoGrant(room: request.roomName ?? "test-room", roomJoin: true)
+            tokenGenerator.videoGrant = LiveKitJWTPayload.VideoGrant(room: request.roomName ?? "test-room", roomJoin: true)
 
             let token = try tokenGenerator.sign()
 

Tests/LiveKitTests/Support/Room.swift

@@ -76,12 +76,12 @@ extension LKTestCase {
                                             apiSecret: apiSecret,
                                             identity: identity)
 
-        tokenGenerator.videoGrant = VideoGrant(room: room,
-                                               roomJoin: true,
-                                               canPublish: canPublish,
-                                               canSubscribe: canSubscribe,
-                                               canPublishData: canPublishData,
-                                               canPublishSources: canPublishSources.map(String.init))
+        tokenGenerator.videoGrant = LiveKitJWTPayload.VideoGrant(room: room,
+                                                                 roomJoin: true,
+                                                                 canPublish: canPublish,
+                                                                 canSubscribe: canSubscribe,
+                                                                 canPublishData: canPublishData,
+                                                                 canPublishSources: canPublishSources.map(String.init))
         return try tokenGenerator.sign()
     }
 

Tests/LiveKitTests/Support/TokenGenerator.swift

@@ -16,83 +16,9 @@
 
 import Foundation
 import JWTKit
-
-public struct VideoGrant: Codable, Equatable {
-    /** name of the room, must be set for admin or join permissions */
-    let room: String?
-    /** permission to create a room */
-    let roomCreate: Bool?
-    /** permission to join a room as a participant, room must be set */
-    let roomJoin: Bool?
-    /** permission to list rooms */
-    let roomList: Bool?
-    /** permission to start a recording */
-    let roomRecord: Bool?
-    /** permission to control a specific room, room must be set */
-    let roomAdmin: Bool?
-
-    /**
-     * allow participant to publish. If neither canPublish or canSubscribe is set,
-     * both publish and subscribe are enabled
-     */
-    let canPublish: Bool?
-    /** allow participant to subscribe to other tracks */
-    let canSubscribe: Bool?
-    /**
-     * allow participants to publish data, defaults to true if not set
-     */
-    let canPublishData: Bool?
-    /** allowed sources for publishing */
-    let canPublishSources: [String]? // String as returned in the JWT
-    /** participant isn't visible to others */
-    let hidden: Bool?
-    /** participant is recording the room, when set, allows room to indicate it's being recorded */
-    let recorder: Bool?
-
-    init(room: String? = nil,
-         roomCreate: Bool? = nil,
-         roomJoin: Bool? = nil,
-         roomList: Bool? = nil,
-         roomRecord: Bool? = nil,
-         roomAdmin: Bool? = nil,
-         canPublish: Bool? = nil,
-         canSubscribe: Bool? = nil,
-         canPublishData: Bool? = nil,
-         canPublishSources: [String]? = nil,
-         hidden: Bool? = nil,
-         recorder: Bool? = nil)
-    {
-        self.room = room
-        self.roomCreate = roomCreate
-        self.roomJoin = roomJoin
-        self.roomList = roomList
-        self.roomRecord = roomRecord
-        self.roomAdmin = roomAdmin
-        self.canPublish = canPublish
-        self.canSubscribe = canSubscribe
-        self.canPublishData = canPublishData
-        self.canPublishSources = canPublishSources
-        self.hidden = hidden
-        self.recorder = recorder
-    }
-}
+@testable import LiveKit
 
 public class TokenGenerator {
-    private struct Payload: JWTPayload, Equatable {
-        let exp: ExpirationClaim
-        let iss: IssuerClaim
-        let nbf: NotBeforeClaim
-        let sub: SubjectClaim
-
-        let name: String?
-        let metadata: String?
-        let video: VideoGrant?
-
-        func verify(using _: JWTSigner) throws {
-            fatalError("not implemented")
-        }
-    }
-
     // 30 mins
     static let defaultTTL: TimeInterval = 30 * 60
 
@@ -104,7 +30,7 @@ public class TokenGenerator {
     public var ttl: TimeInterval
     public var name: String?
     public var metadata: String?
-    public var videoGrant: VideoGrant?
+    public var videoGrant: LiveKitJWTPayload.VideoGrant?
 
     // MARK: - Private
 
@@ -127,13 +53,13 @@ public class TokenGenerator {
 
         let n = Date().timeIntervalSince1970
 
-        let p = Payload(exp: .init(value: Date(timeIntervalSince1970: floor(n + ttl))),
-                        iss: .init(stringLiteral: apiKey),
-                        nbf: .init(value: Date(timeIntervalSince1970: floor(n))),
-                        sub: .init(stringLiteral: identity),
-                        name: name,
-                        metadata: metadata,
-                        video: videoGrant)
+        let p = LiveKitJWTPayload(exp: .init(value: Date(timeIntervalSince1970: floor(n + ttl))),
+                                  iss: .init(stringLiteral: apiKey),
+                                  nbf: .init(value: Date(timeIntervalSince1970: floor(n))),
+                                  sub: .init(stringLiteral: identity),
+                                  name: name,
+                                  metadata: metadata,
+                                  video: videoGrant)
 
         return try signers.sign(p)
     }