Back to

Package token

Latest Go to latest

The latest major version is .

Published: May 5, 2020 | License: Apache-2.0 | Module:



Build Status Code Climate Issue Count Go Report Card Apache V2 License GitHub release


A JWT token issuer for devices that connect to the XMiDT cluster.

Table of Contents

Code of Conduct

This project and everyone participating in it are governed by the XMiDT Code Of Conduct. By participating, you agree to this Code.


Themis provides a flexible strategy to issue JWT tokens to devices that need to connect to the XMiDT cluster.


There are three main endpoints (directly mapped to servers key, issuer and claims in configuration) this service provides:

  • GET /keys/{KID} - PEM format
  • GET /keys/{KID}/jwk.json - JWK format

This endpoint allows fetching the public portion of the key that themis uses to sign JWT tokens. For example, Talaria can use this endpoint to verify the signature of tokens which devices present when they attempt to connect to XMiDT.

Configuration for this endpoint is required when the issue endpoint is configured and vice versa.

  • POST /issue

This is the main and most compute intensive Themis endpoint as it creates JWT tokens based on configuration.

  • GET /claims

Configuring this endpoint is required if no configuration is provided for the previous two.

JWT Claims Configuration

Claims can be configured through the, partnerID and remote configuration elements. The claim values themselves can come from multiple sources.

Fixed values in configuration


        - capability0
        - capability1

The above config would create the claim:

"capabilities":  ["capability0", "capability1"]

HTTP Header or Parameter


      header: X-Midt-Mac-Address
      parameter: mac

The value of the mac claim would come from the specified header or parameter name of the request to the /issue endpoint.


Although it is configured separately, it behaves very similarly to the previous source type.

  claim: partner-id
  metadata: pid # only needed when a remote claims server needs this value
  header: X-Midt-Partner-ID
  parameter: pid
  default: comcast

Remote claims

  method: "POST"
  url: ""

For more informatiom on how to configure Themis to run as your remote claims server, read the next section on Remote Server Claims Configuration.

Remote Server Claims Configuration

Using Themis as the remote claims server

You can do this by configuring only the claims server in your configuration file. Claims are configured exactly the same as explained above.

Sending data to remote server

Suppose the remote claims server needs the ID of the device requesting a token in the form of an HTTP Header named X-Midt-Device-Id. The token.metadata configuration element allows you to specify which values are sent to the remote claims server.

      header: X-Midt-Device-Id


There is a single binary for themis and its execution is fully driven by configuration.


The Makefile has the following options you may find helpful: * make build: builds the Themis binary * make docker: builds a docker image for themis * make local-docker: builds a docker image for themis with the local version tag * make test: runs unit tests with coverage for Themis * make clean: deletes previously-built binaries and object files


At the simplest form, run the binary with the flag specifying the configuration file

./themis -f themis.yaml

### Docker
We recommend using docker for local development.

Build docker image for themis

themis.yaml specifies the static claims which will be returned in the JWT

make local-docker

Run container service

docker run -p 6501:6501 themis:local

Request a JWT token

curl http://localhost:6701/issue -H ‘X-Midt-Mac-Address: mac:1122334455’ “`


Refer to