pg_session_jwt
Manage authentication sessions using JWTs
Repository
neondatabase/pg_session_jwt
https://github.com/neondatabase/pg_session_jwt
Source
pg_session_jwt-0.4.0.tar.gz
pg_session_jwt-0.4.0.tar.gz
Overview
| Package | Version | Category | License | Language |
|---|---|---|---|---|
pg_session_jwt | 0.4.0 | SEC | Apache-2.0 | Rust |
| ID | Extension | Bin | Lib | Load | Create | Trust | Reloc | Schema |
|---|---|---|---|---|---|---|---|---|
| 7040 | pg_session_jwt | No | Yes | No | Yes | Yes | No | auth |
| Related | pgjwt pgaudit pgsodium supabase_vault anon |
|---|
manual updated pgrx by Vonng
Version
| Type | Repo | Version | PG Ver | Package | Deps |
|---|---|---|---|---|---|
| EXT | PIGSTY | 0.4.0 | 1817161514 | pg_session_jwt | - |
| RPM | PIGSTY | 0.4.0 | 1817161514 | pg_session_jwt_$v | - |
| DEB | PIGSTY | 0.4.0 | 1817161514 | postgresql-$v-pg-session-jwt | - |
Build
You can build the RPM / DEB packages for pg_session_jwt using pig build:
pig build pkg pg_session_jwt # build RPM / DEB packages
Install
You can install pg_session_jwt directly. First, make sure the PGDG and PIGSTY repositories are added and enabled:
pig repo add pgsql -u # Add repo and update cache
Install the extension using pig or apt/yum/dnf:
pig install pg_session_jwt; # Install for current active PG version
pig ext install -y pg_session_jwt -v 18 # PG 18
pig ext install -y pg_session_jwt -v 17 # PG 17
pig ext install -y pg_session_jwt -v 16 # PG 16
pig ext install -y pg_session_jwt -v 15 # PG 15
pig ext install -y pg_session_jwt -v 14 # PG 14
dnf install -y pg_session_jwt_18 # PG 18
dnf install -y pg_session_jwt_17 # PG 17
dnf install -y pg_session_jwt_16 # PG 16
dnf install -y pg_session_jwt_15 # PG 15
dnf install -y pg_session_jwt_14 # PG 14
apt install -y postgresql-18-pg-session-jwt # PG 18
apt install -y postgresql-17-pg-session-jwt # PG 17
apt install -y postgresql-16-pg-session-jwt # PG 16
apt install -y postgresql-15-pg-session-jwt # PG 15
apt install -y postgresql-14-pg-session-jwt # PG 14
Create Extension:
CREATE EXTENSION pg_session_jwt;
Usage
pg_session_jwt handles authenticated sessions through JWTs. When configured with a JWK, it verifies JWT authenticity. Without a JWK, it falls back to PostgREST-compatible request.jwt.claims.
CREATE EXTENSION pg_session_jwt;
Mode 1: JWK Validation
Set the JWK at connection time via libpq options:
export PGOPTIONS="-c pg_session_jwt.jwk=$MY_JWK"
Then within the session:
SELECT auth.init(); -- Initialize with JWK
SELECT auth.jwt_session_init('eyJ...'); -- Set and validate the JWT
SELECT auth.user_id(); -- Get the 'sub' claim
SELECT auth.session(); -- Get full JWT payload as JSONB
Mode 2: PostgREST-Compatible (No JWK)
Works out of the box with PostgREST. No initialization needed:
SELECT auth.user_id(); -- Returns 'sub' from request.jwt.claims
SELECT auth.session(); -- Returns full claims as JSONB
Functions
| Function | Returns | Description |
|---|---|---|
auth.init() | void | Initialize session using JWK |
auth.jwt_session_init(jwt text) | void | Set and validate a JWT |
auth.session() | jsonb | Get JWT payload or fallback claims |
auth.jwt() | jsonb | Alias for auth.session() |
auth.user_id() | text | Get the sub claim |
auth.uid() | uuid | Get sub as UUID (or NULL) |
Configuration
| Parameter | Description |
|---|---|
pg_session_jwt.jwk | JWK for JWT validation (set at startup or connection) |
pg_session_jwt.audit_log | Enable audit logging (on/off) |
RLS Example
CREATE POLICY user_isolation ON my_table
USING (user_id = auth.user_id());
Feedback
Was this page helpful?
Thanks for the feedback! Please let us know how we can improve.
Sorry to hear that. Please let us know how we can improve.