Keypairs CLI
The most useful and easy-to-use crypto cli on the planet
(because openssl is confusing).
- Universal Standards-based Crypto Support:
- RSA (2048, 3072, 4096, 8192)
- EC (NIST ECDSA) P-256 (prime256v1, secp256r1), P-384 (secp384r1)
 
- Supported Encodings: PEM, JSON
- Private Key Formats: PKCS1, SEC1, PKCS8, JWK, OpenSSH
- Public Key Formats: PKCS1, PKIX (SPKI), SSH
- Create JWT tokens
- Sign JWT/JWS claims/tokens/payloads
- Verify JWT/JWS tokens/json
Install
You must have node.js installed.
npm install --global keypairs-cli
Usage
Guess and check.
The keypairs CLI is pretty fuzzy. If you just type at it, it'll probably work.
That said, the fuzzy behavior is not API-stable and is subject to change, so you should only script to the documented syntax. ;)
Overview
- Generate: keypairs gen
- Convert: keypairs ./priv.pem
- Sign: keypairs ./priv.pem sign https://example.com/ '{"sub":"jon@example.com"}'
- Verify: keypairs verify 'xxxxx.yyyyy.zzzzz'
Generate a New Key
No arguments - generates a universally compatible key of more-than-sufficient entropy.
keypairs gen
Generate an ecdsa key:
keypairs gen ec P-256
Generate an RSA key:
keypairs gen rsa 2048
Parse/Convert an existing key
keypairs ./priv.pem
keypairs '{"kty":"EC",...}'
keypairs ./priv.jwk.json
Syntax: keypairs <in> [priv-out opts...] [pub-out opts...]
keypairs <inkey> [[encoding|scheme] [priv-out]] [[encoding|scheme] [pub-out]] [public|private]
Note: If you specify a private and a public key, and you want to specify the schema/encoding of the public key, you must also specify the scheme and encoding of the public key. Order matters. Private keys come first.
JWK Keypair to PEM-encoded Private and Public keys:
keypairs ./priv.json pem pkcs1 ./priv.pem pem spki ./pub.pem
keypairs ./priv.json pem ./priv.pem ssh ./pub.json
keypairs ./priv.json pkcs8 ./priv.pem spki ./pub.json
PEM Keypair to JSON-encoded JWK (Public Key Only):
keypairs ./priv.pem jwk ./priv.pem public
keypairs ./priv.pem json ./priv.pem public
Generic PEM to JWK:
keypairs priv.pem priv.jwk.json
keypairs priv.pem priv.jwk.json pub.jwk.json
keypairs priv.pem pub.jwk.json public
# fails if the input is public
keypairs priv.pem priv.jwk.json private
Generic JWK to PEM:
keypairs '{"kty":"EC",...}' priv.pem
keypairs priv.json priv.pem
Sign a Token (JWT)
keypairs ./priv.pem sign https://example.com/ '{"sub":"jon@example.com"}' 1h
Verify a JWT (Token)
Verify a JWT based on its issuer
keypairs verify 'xxx.yyy.zzz'