Aerostack
Aerostack
security

sec-jwt-sign Edge Function — Security

Security

Signs a JWT token using HMAC-SHA256 or HMAC-SHA512 via Web Crypto — zero dependencies.

navin @navin verified
Updated Mar 12, 2026
GitHub

Edge function sec-jwt-sign Signs a JWT token using HMAC-SHA256 or HMAC-SHA512 via Web Crypto — zero dependencies.. Deployed on Cloudflare Workers — zero cold starts, globally distributed. Mount it via your Aerostack workspace to call it from any AI agent.

terminal — aerostack cli
$ npx aerostack add navin/sec-jwt-sign
smart_toy

Use with AI Assistants

MCP

Connect Claude, Cursor, or any MCP-compatible client — then call this function by slug

① Add MCP Server

Add this once — access all Aerostack functions from your AI tool.

claude_desktop_config.json 
{
  "mcpServers": {
    "aerostack": {
      "url": "https://mcp.aerostack.dev",
      "type": "http"
    }
  }
}

② Call this function

Ask your AI to use the call_function tool with this slug:

call_function 
call_function({
  slug: "sec-jwt-sign",
  args: {
    "payload": null,
    "secret": "example_secret",
    "algorithm": "HS256",
    "expiresIn": 42
  }
})

sec-jwt-sign — Sign JWT tokens with HMAC

Creates a signed JSON Web Token (JWT) using HMAC-SHA256 or HMAC-SHA512 via the Web Crypto API — zero npm dependencies.

API

POST /api/sec-jwt-sign

Request body

Field Type Required Default Description
payload object Claims to embed (e.g. { sub, userId, roles })
secret string HMAC signing secret
algorithm "HS256" | "HS512" "HS256" HMAC hash algorithm
expiresIn number Token TTL in seconds — adds exp claim

Success response (200)

{
  "success": true,
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwiaWF0IjoxNzA5MDAwMDAwfQ.abc123"
  }
}

Error responses

Code HTTP When
INVALID_INPUT 400 Missing required field or wrong type
INTERNAL_ERROR 500 Unexpected error

Usage

cURL
curl -X POST "$FUNCTION_URL" \
  -H "Content-Type: application/json" \
  -d '{"payload": {"sub": "user123", "role": "admin"}, "secret": "my-secret", "expiresIn": 3600}'
TypeScript / JavaScript (HTTP)
const response = await fetch(FUNCTION_URL, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    payload: { sub: 'user123', role: 'admin' },
    secret: 'my-secret',
    algorithm: 'HS256',
    expiresIn: 3600,
  }),
});
const { data } = await response.json();
console.log(data.token);
Direct import (Node / Bun / Deno)
import { jwtSign } from '@aerostack/functions/sec-jwt-sign';

const { token } = await jwtSign({
  payload: { sub: 'user123', role: 'admin' },
  secret: process.env.JWT_SECRET!,
  algorithm: 'HS256',
  expiresIn: 3600,
});

Use Cases

  • Issuing access tokens after user login in a stateless auth system
  • Creating short-lived API tokens for machine-to-machine communication
  • Generating signed invite or magic-link tokens with embedded expiry
  • Signing webhook payloads so receivers can verify their authenticity

Notes

  • iat (issued-at) is always added automatically
  • exp is only added when expiresIn is provided
  • Uses Web Crypto API — works on Cloudflare Workers, Node 18+, Bun, Deno
  • Token format is standard JWT: base64url(header).base64url(payload).base64url(signature)
  • Use sec-jwt-verify to validate tokens produced by this function

Metadata

upgrade Version 1.0.0
gavel License MIT
language Language typescript
cloud Provider aerostack

Tags

security

Publisher

navin

@navin verified

deployed_code

Build and publish your own functions

Write a TypeScript function, deploy it to the edge, and share it with thousands of developers — in minutes.

Publish a Function → Read the docs

More Security Functions

Browse Security Functions →
extension

sec-api-key-generate

by @navin

Generates a cryptographically random API key with a custom prefix using a base62 alphabet — no ambiguous characters, URL-safe.

security
star 1
extension

sec-cors-validate

by @navin

Validates a request Origin against an allow list and returns the correct CORS response headers to set — supports wildcards and credentials.

security
star 0
extension

sec-csp-generate

by @navin

Generates a Content-Security-Policy header value from a structured directives object — supports report-only mode and report-uri.

security
star 0
extension

sec-decrypt-aes

by @navin

Decrypts an AES-256-GCM encrypted bundle produced by sec-encrypt-aes — key is derived via SHA-256, auth tag is verified automatically.

security
star 0
extension

sec-encrypt-aes

by @navin

Encrypts a string with AES-256-GCM using Web Crypto — key is derived via SHA-256, output is a portable IV:ciphertext bundle.

security
star 0
extension

sec-hash-sha256

by @navin

Hashes a string using SHA-256 via the Web Crypto API. Supports hex and base64 output. Zero dependencies.

security
star 0

Frequently asked questions

What does the sec-jwt-sign function do? +

sec-jwt-sign is a serverless edge function for security automation written in aerostack. Deploy it to Cloudflare Workers via your Aerostack workspace.

How do I deploy the sec-jwt-sign function? +

Install the Aerostack CLI and run: ```bash aerostack deploy function @navin/sec-jwt-sign ``` It will be live on Cloudflare Workers in seconds.

What runtime does sec-jwt-sign use? +

sec-jwt-sign runs on aerostack on the Cloudflare Workers edge runtime — zero cold starts, globally distributed.

Can I customise the sec-jwt-sign function? +

Yes. Fork the function from your Aerostack dashboard, modify the source, and redeploy. All changes are version-controlled.