Rust toolkit for obtaining SSO JWTs with hardware-backed secure caching.
sso-jwt replaces the older Node.js ssojwt workflow with a native implementation that:
- caches tokens encrypted at rest
- supports Secure Enclave, TPM, WSL bridge, and software fallback backends
- uses server-profile configuration instead of hardcoded single-endpoint assumptions
- supports both CLI and Node.js consumers
| Crate | Purpose |
|---|---|
sso-jwt |
CLI binary |
sso-jwt-lib |
core token, config, cache, and OAuth logic |
sso-jwt-napi |
Node.js native addon |
sso-jwt-tpm-bridge |
Windows TPM bridge for WSL |
Download latest release for macOS, Windows, and Linux.
brew tap godaddy/sso-jwt
brew install sso-jwtscoop bucket add sso-jwt https://github.com/godaddy/scoop-sso-jwt
scoop install sso-jwtcargo install --path sso-jwt# safest common path
sso-jwt exec -- terraform apply
# or capture stdout for a single child process
SSO_JWT=$(sso-jwt) terraform apply
# install shell guardrails
eval "$(sso-jwt shell-init zsh)"The default exec variable name is SSO_JWT. Shell integration also warns on common COMPANY_JWT export patterns because that was used in earlier workflows.
sso-jwt [OPTIONS] [COMMAND]
Commands:
shell-init Print shell integration script
exec Run a command with the JWT injected into its environment
install Print install guidance or configure WSL from Windows
uninstall Remove WSL config on Windows or print manual removal guidance
add-server Add a server profile from a URL, GitHub repo, or local file
Key options:
--server--environment--cache-name--risk-level--oauth-url--biometric--no-open--clear
Configuration lives at ~/.config/sso-jwt/config.toml.
Current config shape:
default_server = "myco"
risk_level = 2
biometric = false
cache_name = "default"
[servers.myco]
client_id = "sso-jwt"
[servers.myco.environments.prod]
default = true
oauth_url = "https://sso.example.com/oauth/device"
token_url = "https://sso.example.com/oauth/token"
heartbeat_url = "https://sso.example.com/oauth/heartbeat"Environment variable overrides:
| Variable | Purpose |
|---|---|
SSOJWT_SERVER |
server profile name |
SSOJWT_ENVIRONMENT |
environment within the selected server |
SSOJWT_OAUTH_URL |
direct OAuth device URL override |
SSOJWT_TOKEN_URL |
token polling URL override |
SSOJWT_HEARTBEAT_URL |
heartbeat URL override |
SSOJWT_CLIENT_ID |
client ID override |
SSOJWT_RISK_LEVEL |
risk level override |
SSOJWT_BIOMETRIC |
biometric override |
SSOJWT_CACHE_NAME |
cache-name override |
sso-jwt exec uses --env-var to choose the child-process environment variable name. That setting is not part of the persisted config file.
You can add a server from a local file, URL, or GitHub repo path:
sso-jwt add-server myco --from-url ./server.toml
sso-jwt add-server github --from-github owner/repo/path/to/server.tomlIf you omit the label, add-server stores the profile as default and also sets it as default_server.
All platform-specific crypto comes from libenclaveapp.
| Platform | Backend |
|---|---|
| macOS | Secure Enclave |
| Windows | TPM 2.0 |
| WSL | Windows TPM bridge |
| Linux with TPM | TPM 2.0 |
| Linux without TPM | software fallback |
cargo build
cargo test
cargo clippy --workspace --all-targets -- -D warnings
cargo fmt --all -- --checkNode addon build:
cd sso-jwt-napi
npm install
npm run buildMIT