jwt-jwks-client

A client library that verifies a JWT token by retrieve signing keys from a JWKS (JSON Web Key Set) endpoint.

Usage no npm install needed!

<script type="module">
  import jwtJwksClient from 'https://cdn.skypack.dev/jwt-jwks-client';
</script>

README

Build Status codecov License: MIT FOSSA Status


JWT JWKS Client

A client library that verifies a JWT token by retrieve signing keys from a JWKS (JSON Web Key Set) endpoint written in TypeScript.

Usage

You'll provide the client with the JWKS endpoint which exposes your signing keys. Using the verify you can if a JWT token.

import jwksClient from "jwt-jwks-client";
// or using require
const jwksClient = require('jwt-jwks-client');

const client = jwksClient({
  secure: true, // Default value
  jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json',
  rateLimit: 0; // Optional, num of request per min, 0 means no limit
  requestHeaders: {}, // Optional
  requestAgentOptions: {}, // Optional
  timeout: 30000, // Optional, default 30s
});

// throws error if token not valid
await client.verify(jwtToken);

Verify with options

await client.verify(jwtToken, verifyOptions);

interface VerifyOptions {
  iat?: boolean;
  kid?: boolean;
  subject?: string;
  issuer?: string;
  audience?: string | string[];
  header?: object;
  algorithm?: string;
  expiresIn?: string;
  notBefore?: string;
  jti?: string;
  now?: Date;
}

For details, see jose library

Using AgentOptions for TLS/SSL Configuration

The requestAgentOptions property can be used to configure SSL/TLS options. An example use case is providing a trusted private (i.e. enterprise/corporate) root certificate authority to establish TLS communication with the jwks_uri.

import jwksClient from "jwt-jwks-client";

const client = jwksClient({
  strictSsl: true, // Default value
  jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json',
  requestHeaders: {}, // Optional
  requestAgentOptions: {
    ca: fs.readFileSync(caFile)
  }
});

For more information, see the NodeJS request library agentOptions documentation.

Showing Trace Logs

To show trace logs you can set the following environment variable:

DEBUG=jwks

JWT token sign

Check out my other JWT Auth library that supports not only regular JWT token generation, but also key rotation and key revocation.

License

FOSSA Status