Sihl Token

A token is a string that has some values associated with it. Tokens are often used for authentication by associating a user_id to a string.


sihl-token ships with 4 backend implementations.

JSON Web Token

JSON Web Token (JWT) is a standard for client-side tokens. The associated data is stored in the actual token, which is signed and sent to the client.

JWTs are valid until they expire. If you want to invalidate them before, it is necessary to keep a blacklist on the server. This requires some persistent storage.

Use either Sihl_token.JwtPostgreSql or Sihl_token.JwtMariaDb.


Server-side tokens have their data persisted on the server. This is useful for sensitive information.

Use either Sihl_token.PostgreSql or Sihl_token.MariaDb.



First, choose a backend in service/

module Token = Sihl_token.JwtPostgresql


Register the service in run/

let services = [ Service.Token.register () ]


Run make sihl migrate to run pending migrations.


The API is documented in Sihl.Contract.Token.Sig.


The token middleware Sihl.Contract.Token.Sig.Web.Middleware.user fetches the current user based on the provided Bearer Token.

let index req =

  match Service.Token.Web.User.find_opt req with
  | None -> Lwt.return @@ Sihl.Web.Response.redirect_to "/login"
  | Some user -> Lwt.return @@ Sihl.Web.Response.of_html (View.Welcome.index user)