diff --git a/Cargo.lock b/Cargo.lock
index 0d17e73..75b9864 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -153,6 +153,12 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b41b7ea54a0c9d92199de89e20e58d49f02f8e699814ef3fdf266f6f748d15c7"
 
+[[package]]
+name = "base64"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+
 [[package]]
 name = "base64"
 version = "0.21.5"
@@ -326,7 +332,7 @@ dependencies = [
 
 [[package]]
 name = "card-cli"
-version = "1.7.10"
+version = "1.7.11"
 dependencies = [
  "authenticator",
  "base64 0.21.5",
@@ -337,6 +343,7 @@ dependencies = [
  "ecdsa",
  "env_logger",
  "hex",
+ "jwt",
  "openpgp-card",
  "openpgp-card-pcsc",
  "openpgp-card-sequoia",
@@ -1131,6 +1138,21 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "jwt"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6204285f77fe7d9784db3fdc449ecce1a0114927a51d5a41c4c7a292011c015f"
+dependencies = [
+ "base64 0.13.1",
+ "crypto-common",
+ "digest 0.10.7",
+ "hmac 0.12.1",
+ "serde",
+ "serde_json",
+ "sha2",
+]
+
 [[package]]
 name = "kernel32-sys"
 version = "0.2.2"
diff --git a/Cargo.toml b/Cargo.toml
index 58a53be..acaf3e4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "card-cli"
-version = "1.7.10"
+version = "1.7.11"
 authors = ["Hatter Jiang <jht5945@gmail.com>"]
 edition = "2018"
 
@@ -38,6 +38,7 @@ tabled = "0.14.0"
 env_logger = "0.10"
 bech32 = "0.9.1"
 ecdsa = { version = "0.16.8", features = ["verifying", "spki", "pem", "der"] }
+jwt = "0.16.0"
 #lazy_static = "1.4.0"
 #ssh-key = "0.4.0"
 #ctap-hid-fido2 = "2.1.3"
diff --git a/src/cmd_signjwt.rs b/src/cmd_signjwt.rs
new file mode 100644
index 0000000..b3fd305
--- /dev/null
+++ b/src/cmd_signjwt.rs
@@ -0,0 +1,82 @@
+use std::collections::BTreeMap;
+
+use clap::{App, Arg, ArgMatches, SubCommand};
+use jwt::{AlgorithmType, Error, SigningAlgorithm, SignWithKey};
+use rust_util::util_clap::{Command, CommandError};
+use yubikey::piv::{AlgorithmId, sign_data};
+use yubikey::YubiKey;
+
+use crate::{digest, pivutil, util};
+
+const SEPARATOR: &str = ".";
+
+// TODO pending ...
+struct XSign {}
+
+impl SigningAlgorithm for XSign {
+    fn algorithm_type(&self) -> AlgorithmType {
+        AlgorithmType::Es256
+    }
+
+    fn sign(&self, header: &str, claims: &str) -> Result<String, Error> {
+        let mut tobe_signed = vec![];
+        tobe_signed.extend_from_slice(header.as_bytes());
+        tobe_signed.extend_from_slice(SEPARATOR.as_bytes());
+        tobe_signed.extend_from_slice(claims.as_bytes());
+        let sha256 = digest::sha256_bytes(&tobe_signed);
+
+        let slot = "82";
+        let mut yk = match YubiKey::open() {
+            Ok(yk) => yk,
+            Err(e) => {
+                failure!("Find YubiKey failed: {}", e);
+                return Err(Error::NoSignatureComponent);
+            }
+        };
+        let slot_id = match pivutil::get_slot_id(slot) {
+            Ok(slot_id) => slot_id,
+            Err(e) => {
+                failure!("Find slot id failed: {}", e);
+                return Err(Error::NoSignatureComponent);
+            }
+        };
+        let algorithm = AlgorithmId::EccP256;
+
+        let signed_data = match sign_data(&mut yk, &sha256, algorithm, slot_id) {
+            Ok(signed_data) => signed_data,
+            Err(e) => {
+                failure!("Find YubiKey failed: {}", e);
+                return Err(Error::NoSignatureComponent);
+            }
+        };
+
+        let sign = util::base64_encode_url_safe_no_pad(signed_data);
+        Ok(sign)
+    }
+}
+
+pub struct CommandImpl;
+
+impl Command for CommandImpl {
+    fn name(&self) -> &str { "sign-jwt" }
+
+    fn subcommand<'a>(&self) -> App<'a, 'a> {
+        SubCommand::with_name(self.name()).about("Sign JWT subcommand")
+            // .arg(Arg::with_name("pub-key-in").long("pub-key-in").takes_value(true).help("Public key in"))
+            // .arg(Arg::with_name("signature").long("signature").takes_value(true).help("Signature HEX"))
+            // .arg(Arg::with_name("in").short("i").long("in").takes_value(true).help("File in"))
+            // .arg(Arg::with_name("hash").long("hash").takes_value(true).possible_values(&[
+            //     "sha256", "sha384", "sha512"
+            // ]).default_value("sha256").help("Hash"))
+            .arg(Arg::with_name("json").long("json").help("JSON output"))
+    }
+
+    fn run(&self, _arg_matches: &ArgMatches, _sub_arg_matches: &ArgMatches) -> CommandError {
+        let mut claims = BTreeMap::new();
+        claims.insert("sub", "someone");
+        let j = claims.sign_with_key(&XSign {}).unwrap();
+        println!("{}", j);
+
+        Ok(None)
+    }
+}
\ No newline at end of file
diff --git a/src/main.rs b/src/main.rs
index d767af3..7f3b476 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -41,6 +41,7 @@ mod cmd_chall;
 mod cmd_challconfig;
 mod cmd_sshagent;
 mod cmd_pgpageaddress;
+mod cmd_signjwt;
 
 pub struct DefaultCommandImpl;
 
@@ -94,6 +95,7 @@ fn inner_main() -> CommandError {
         Box::new(cmd_u2fsign::CommandImpl),
         Box::new(cmd_sshagent::CommandImpl),
         Box::new(cmd_pgpageaddress::CommandImpl),
+        Box::new(cmd_signjwt::CommandImpl),
     ];
     let mut app = App::new(env!("CARGO_PKG_NAME"))
         .version(env!("CARGO_PKG_VERSION"))
diff --git a/src/util.rs b/src/util.rs
index c841974..2025f6e 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -1,10 +1,14 @@
 use base64::{DecodeError, Engine};
-use base64::engine::general_purpose::STANDARD;
+use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD};
 
 pub fn base64_encode<T: AsRef<[u8]>>(input: T) -> String {
     STANDARD.encode(input)
 }
 
+pub fn base64_encode_url_safe_no_pad<T: AsRef<[u8]>>(input: T) -> String {
+    URL_SAFE_NO_PAD.encode(input)
+}
+
 pub fn base64_decode<T: AsRef<[u8]>>(input: T) -> Result<Vec<u8>, DecodeError> {
     STANDARD.decode(input)
 }