Skip to content

Tokens commands

The opentf-ctl tool provides a set of commands to manage tokens. You can generate tokens, check token signatures, and view token payloads.

generate token using {key}

This command generates a signed token.

The specified key must be a valid private key. It may be encrypted with a passphrase, in which case you will be prompted for it.

If you do not already have a private key, you can create it using the following commands:

openssl genrsa -out trusted_key.pem 4096
openssl rsa -pubout -in trusted_key.pem -out

You can then use the command to create as many tokens as needed:

opentf-ctl generate token using trusted_key.pem
Please specify an algorithm (RS512 if unspecified):
The specified algorithm is: RS512
Please enter the issuer (your company or department): acme
Please enter the subject (you or the person you are making this token for): charlie
The signed token is:

check token {token} using {key}

This command checks if the token signature matches the specified public key.

opentf-ctl check token ey... using

If the token signature matches the payload is displayed:

The token is signed by the public key.  The token payload is:
{'iss': 'acme', 'sub': 'foo'}

If the token signature does not match, an error message is displayed:

ERROR:root:The token is not signed by

view token {token}

This command shows the token payload.

opentf-ctl view token ey...
The token payload is:
{'iss': 'acme', 'sub': 'foo'}

This command does not check the token signature. It will work even if the signature is missing or corrupted.

If the token is invalid, an error message is displayed. The error message will depend on the cause of invalidity.

ERROR:root:Could not validate token signature: Invalid payload padding.