This example shows how to use Rocket request guards for authentication with JSON Web Tokens (JWT for short). The idea is that all requests authenticate first at to get a JWT. Then the JWT is sent with all requests requiring authentication using the HTTP header Authorization: Bearer <token>.

This example uses the jsonwebtoken which supports symmetric and asymmetric secret encoding, built-in validations, and most JWT algorithms. However, this example only makes use of symmetric encoding and validation on the expiration claim.


Three Rocket routes are registered in this file:

  1. /public: a route that can be called without needing any authentication.
  2. /login: a route for posting a JSON object with a username and password to get a JWT.
  3. /private: a route that can only be accessed with a valid JWT.


The bulk of this example is in this file. Most of the code can be transferred to other frameworks except for the FromRequest implementation, which is Rocket specific. This file contains a Claims object which can be expanded with more claims. A Claims can be created from a Bearer <token> string using Claims::from_authorization(). And a Claims object can also be converted to a token using to_token().

name = "authentication"
version = "0.1.0"
edition = "2021"

chrono = "0.4.23"
jsonwebtoken = { version = "8.1.1", default-features = false }
lazy_static = "1.4.0"
rocket = { version = "0.5.0-rc.2", features = ["json"] }
serde = { version = "1.0.148", features = ["derive"] }
shuttle-rocket = "0.27.0"
shuttle-runtime = "0.27.0"
tokio = "1.26.0"

Your should look like this:
use rocket::http::Status;
use rocket::response::status::Custom;
use rocket::serde::json::Json;
use serde::{Deserialize, Serialize};

mod claims;

use claims::Claims;

extern crate rocket;

struct PublicResponse {
    message: String,

fn public() -> Json<PublicResponse> {
    Json(PublicResponse {
        message: "This endpoint is open to anyone".to_string(),

struct PrivateResponse {
    message: String,
    user: String,

// More details on Rocket request guards can be found here
fn private(user: Claims) -> Json<PrivateResponse> {
    Json(PrivateResponse {
        message: "The `Claims` request guard ensures only valid JWTs can access this endpoint"

struct LoginRequest {
    username: String,
    password: String,

struct LoginResponse {
    token: String,

/// Tries to authenticate a user. Successful authentications get a JWT
#[post("/login", data = "<login>")]
fn login(login: Json<LoginRequest>) -> Result<Json<LoginResponse>, Custom<String>> {
    // This should be real user validation code, but is left simple for this example
    if login.username != "username" || login.password != "password" {
        return Err(Custom(
            "account was not found".to_string(),

    let claim = Claims::from_name(&login.username);
    let response = LoginResponse {
        token: claim.into_token()?,


async fn rocket() -> shuttle_rocket::ShuttleRocket {
    let rocket = rocket::build().mount("/", routes![public, private, login]);


Your should look like this:
use chrono::{Duration, Utc};
use jsonwebtoken::{
    decode, encode, errors::ErrorKind, DecodingKey, EncodingKey, Header, Validation,
use lazy_static::lazy_static;
use rocket::{
    request::{FromRequest, Outcome},
use serde::{Deserialize, Serialize};

// TODO: this has an extra trailing space to cause the test to fail
// This is to demonstrate shuttle will not deploy when a test fails.
// FIX: remove the extra space character and try deploying again
const BEARER: &str = "Bearer  ";
const AUTHORIZATION: &str = "Authorization";

/// Key used for symmetric token encoding
const SECRET: &str = "secret";

lazy_static! {
    /// Time before token expires (aka exp claim)
    static ref TOKEN_EXPIRATION: Duration = Duration::minutes(5);

// Used when decoding a token to `Claims`
#[derive(Debug, PartialEq)]
pub(crate) enum AuthenticationError {

// Basic claim object. Only the `exp` claim (field) is required. Consult the `jsonwebtoken` documentation for other claims that can be validated.
// The `name` is a custom claim for this API
#[derive(Serialize, Deserialize, Debug)]
pub(crate) struct Claims {
    pub(crate) name: String,
    exp: usize,

// Rocket specific request guard implementation
impl<'r> FromRequest<'r> for Claims {
    type Error = AuthenticationError;

    async fn from_request(request: &'r rocket::Request<'_>) -> Outcome<Self, Self::Error> {
        match request.headers().get_one(AUTHORIZATION) {
            None => Outcome::Failure((Status::Forbidden, AuthenticationError::Missing)),
            Some(value) => match Claims::from_authorization(value) {
                Err(e) => Outcome::Failure((Status::Forbidden, e)),
                Ok(claims) => Outcome::Success(claims),

impl Claims {
    pub(crate) fn from_name(name: &str) -> Self {
        Self {
            name: name.to_string(),
            exp: 0,

    /// Create a `Claims` from a 'Bearer <token>' value
    fn from_authorization(value: &str) -> Result<Self, AuthenticationError> {
        let token = value.strip_prefix(BEARER).map(str::trim);

        if token.is_none() {
            return Err(AuthenticationError::Missing);

        // Safe to unwrap as we just confirmed it is not none
        let token = token.unwrap();

        // Use `jsonwebtoken` to get the claims from a JWT
        // Consult the `jsonwebtoken` documentation for using other algorithms and validations (the default validation just checks the expiration claim)
        let token = decode::<Claims>(
        .map_err(|e| match e.kind() {
            ErrorKind::ExpiredSignature => AuthenticationError::Expired,
            _ => AuthenticationError::Decoding(e.to_string()),


    /// Converts this claims into a token string
    pub(crate) fn into_token(mut self) -> Result<String, Custom<String>> {
        let expiration = Utc::now()
            .expect("failed to create an expiration time")

        self.exp = expiration as usize;

        // Construct and return JWT using `jsonwebtoken`
        // Consult the `jsonwebtoken` documentation for using other algorithms and asymmetric keys
        let token = encode(
        .map_err(|e| Custom(Status::BadRequest, e.to_string()))?;


mod tests {
    use crate::claims::AuthenticationError;

    use super::Claims;

    fn missing_bearer() {
        let claim_err = Claims::from_authorization("no-Bearer-prefix").unwrap_err();

        assert_eq!(claim_err, AuthenticationError::Missing);

    fn to_token_and_back() {
        let claim = Claims::from_name("test runner");
        let token = claim.into_token().unwrap();
        let token = format!("Bearer {token}");

        let claim = Claims::from_authorization(&token).unwrap();

        assert_eq!(, "test runner");


After logging into Shuttle, use the following command to deploy this example:

Create a project, this will start an isolated deployer container for you under the hood:

cargo shuttle project start
cargo shuttle deploy

Notice how this deploy fails since one of the test fails. See the TODO at the top of src/ on how to fix the test. Once the code is fixed, try to deploy again. Now make a note of the Host for the deploy to use in the examples below. Or just use as the host below.

Seeing it in action

First, we should be able to access the public endpoint without any authentication using:

$ curl https://<host>/public

But trying to access the private endpoint will fail with a 403 forbidden:

$ curl https://<host>/private

So let’s get a JWT from the login route first:

$ curl --request POST --data '{"username": "username", "password": "password"}' https://<host>/login

Accessing the private endpoint with the token will now succeed:

$ curl --header "Authorization: Bearer <token>" https://<host>/private

The token is set to expire in 5 minutus, so wait a while and try to access the private endpoint again. Once the token has expired, a user will need to get a new token from login. Since tokens usually have a longer than 5 minutes expiration time, we can create a /refresh endpoint that takes an active token and returns a new token with a refreshed expiration time.