TokenForge - JWT token toolkit for ProcessWire modules and integrations

[maximus]

Hi everyone,

I have released a new ProcessWire module: TokenForge.

TokenForge is a lightweight JWT/signature toolkit for ProcessWire modules and external API integrations. It creates, signs, validates helper inputs, and caches short-lived JWTs for services that require server-side signed tokens.

GitHub: https://github.com/mxmsmnv/TokenForge

What it does

• Generates JWT tokens with HS256, RS256, and ES256.
• Supports Apple .p8 / EC P-256 keys for ES256.
• Supports RSA private keys for RS256.
• Supports shared secrets for HS256.
• Provides createJwt() and createCachedJwt() APIs for other modules.
• Uses ProcessWire cache for reusable short-lived provider tokens.
• Fingerprints cached entries by token options, so changed claims/keys do not accidentally reuse an old token.
• Includes a superuser-only admin UI with dashboard, quick presets, Apple service setup, JWT generator, diagnostics, cache tools, and activity log.

Why I built it

I needed Apple WeatherKit support in my Meteo module. Apple WeatherKit requires ES256 JWT generation with an Apple .p8 key, and I did not want that signing logic to live only inside one weather module.

So TokenForge is intentionally separate: it can be used by Meteo, but also by other modules or integrations that need JWT-based authentication.

Apple support

TokenForge includes an Apple-focused preset for services that use signed developer/provider tokens, for example:

• WeatherKit REST API
• Apple Maps Server API / MapKit JS tokens
• APNs token-based authentication
• App Store Connect API
• MusicKit / DeviceCheck-style developer tokens

The Apple preset helps prepare the usual ES256 structure: issuer/team ID, service identifier, key ID, .p8 private key path, headers and payload.

Not only Apple

The module also includes starting points for:

• Android/Firebase-style RS256 service account assertions
• Samsung-style RS256 service assertions
• Generic HS256
• Generic RS256
• Generic ES256

Quick presets include demo signing material, so the generator can be tested immediately. For real integrations, replace the demo identifiers and keys with provider values.

Security notes

TokenForge does not store generated JWTs, private key contents, or shared secrets in module settings.

Recommended production usage is to keep private keys in a file path such as:

/site/assets/private/AuthKey_XXXX.p8

and pass private_key_path to TokenForge.

Basic example

$tokenForge = $modules->get('TokenForge');

$jwt = $tokenForge->createCachedJwt('my_provider_token', [
    'ttl' => 3300,
    'algorithm' => 'ES256',
    'key_id' => $keyId,
    'private_key_path' => $privateKeyPath,
    'headers' => [
        'id' => $teamId . '.' . $serviceId,
    ],
    'payload' => [
        'iss' => $teamId,
        'iat' => time(),
        'exp' => time() + 3600,
        'sub' => $serviceId,
    ],
]);

Requirements

• ProcessWire 3+
• PHP 8.1+
• OpenSSL extension

MIT licensed.

Repository: https://github.com/mxmsmnv/TokenForge