JWT Methods

Three ready-made functions that satisfy the JwtVerify, JwtDecode, and JwkVerify interfaces expected by @saurbit/oauth2. They wrap jose and handle the necessary type conversions so you can plug them directly into the @saurbit/oauth2 builders.

`verifyJwt`

const verifyJwt: JwtVerify

Verifies a JWT using the provided secret or key and returns the decoded payload. Wraps jose's jwtVerify.

Pass this as the JwtVerify argument to ClientSecretJwt or PrivateKeyJwt.

Usage with `ClientSecretJwt`

import { ClientSecretJwt } from "@saurbit/oauth2";
import { decodeJwt, verifyJwt } from "@saurbit/oauth2-jwt";

const clientSecretJwt = new ClientSecretJwt(decodeJwt, verifyJwt)
  .addAlgorithm(ClientSecretJwt.algo.HS256)
  .getClientSecret(async (clientId) => {
    const client = await db.findClientById(clientId);
    return client?.secret ?? null;
  });

Usage with `PrivateKeyJwt`

import { PrivateKeyJwt } from "@saurbit/oauth2";
import { decodeJwt, verifyJwt } from "@saurbit/oauth2-jwt";

const privateKeyJwt = new PrivateKeyJwt(decodeJwt, verifyJwt)
  .addAlgorithm(PrivateKeyJwt.algo.RS256)
  .getPublicKeyForClient(async (clientId) => {
    const client = await db.findClientById(clientId);
    return client?.publicKey ?? null;
  });

`decodeJwt`

const decodeJwt: JwtDecode

Decodes a JWT payload without verifying its signature. Wraps jose's decodeJwt.

Pass this as the JwtDecode argument to ClientSecretJwt or PrivateKeyJwt alongside verifyJwt.

WARNING

This function does not validate the token's signature, expiration, or any other claims. Use it only to inspect the token payload before verification, as done internally by ClientSecretJwt and PrivateKeyJwt to extract the client_id from the assertion.

`verifyJwk`

const verifyJwk: JwkVerify

Verifies a JWT whose header embeds the public key as a JWK ("jwk" header parameter). The public key is extracted from the JWT header itself and used to verify the signature. Only the ES256 algorithm is accepted.

Pass this as the JwkVerify argument to DPoPTokenType.

Usage with `DPoPTokenType`

import { createInMemoryReplayStore, DPoPTokenType } from "@saurbit/oauth2";
import { verifyJwk } from "@saurbit/oauth2-jwt";

const dpop = new DPoPTokenType(verifyJwk, createInMemoryReplayStore());

Then pass it to your flow builder:

import { AuthorizationCodeFlowBuilder } from "@saurbit/oauth2";

const flow = new AuthorizationCodeFlowBuilder({ tokenEndpoint: "/token" })
  .setTokenType(dpop)
  // ... other builder methods
  .build();

JWT Methods ​

verifyJwt ​

Usage with ClientSecretJwt ​

Usage with PrivateKeyJwt ​

decodeJwt ​

verifyJwk ​