btw: MoQ is under active development. The APIs and protocols are still evolving and will change. Most of this documentation is AI generated until things get more stable.

Skip to content

moq-token

crates.iodocs.rs

JWT authentication library and CLI tool for MoQ relay authentication.

Overview

moq-token provides:

  • Library - Generate and verify JWT tokens in Rust
  • CLI - Command-line tool for key and token management
  • Multiple algorithms - HMAC, RSA, ECDSA, EdDSA

Installation

Library

Add to your Cargo.toml:

toml
[dependencies]
moq-token = "0.1"

CLI

bash
cargo install moq-token-cli

The binary is named moq-token.

Using Nix

bash
# Run directly
nix run github:moq-dev/moq#moq-token

# Or build and find the binary in ./result/bin/
nix build github:moq-dev/moq#moq-token

Using Docker

bash
docker pull moqdev/moq-token-cli
docker run -v "$(pwd):/app" -w /app moqdev/moq-token-cli:latest generate --out root.jwk

Multi-arch images (linux/amd64 and linux/arm64) are published to Docker Hub.

CLI Usage

Generate a Key

bash
# Symmetric key (HMAC)
moq-token generate --out root.jwk --algorithm HS256

# Asymmetric key pair (RSA)
moq-token generate --algorithm RS256 --out private.jwk --public public.jwk

# Asymmetric key pair (EdDSA)
moq-token generate --algorithm EdDSA --out private.jwk --public public.jwk

Sign a Token

bash
moq-token sign --key root.jwk \
  --root "rooms/123" \
  --publish "alice" \
  --subscribe "" \
  --expires 1735689600 > alice.jwt

Verify a Token

bash
moq-token verify --key root.jwk < alice.jwt

Supported Algorithms

Symmetric (HMAC):

  • HS256
  • HS384
  • HS512

Asymmetric (RSA):

  • RS256, RS384, RS512
  • PS256, PS384, PS512

Asymmetric (Elliptic Curve):

  • EC256, EC384
  • EdDSA

Library Usage

For the TypeScript equivalent, see js/token/examples/sign-and-verify.ts.

Token Claims

ClaimTypeDescription
rootstringRoot path for all operations
putstring | string[]?Publishing permission paths
getstring | string[]?Subscription permission paths
clusterbool?Cluster node flag
expnumber?Expiration (Unix timestamp)
iatnumber?Issued at (Unix timestamp)

Integration with moq-relay

Configure the relay to use your key:

toml
[auth]
key = "root.jwk"
public = "anon"  # Optional: anonymous access

See Relay Authentication for details.

Security Considerations

  • Symmetric keys should only be used when the same entity signs and verifies
  • Asymmetric keys are preferred for distributed systems (relay only needs public key)
  • Token expiration should be set appropriately for your use case
  • Secure transmission - Only transmit tokens over HTTPS
  • Secure storage - Keep private keys secure

JWK Set Support

For key rotation, use the relay's key_dir option pointing to a directory or URL. The relay resolves keys on demand by extracting the kid (key ID) from the JWT header and fetching the corresponding {kid}.jwk file. See Relay Authentication for configuration details.

API Reference

Full API documentation: docs.rs/moq-token

Next Steps

Licensed under MIT or Apache-2.0