npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@funkybob/jwt

v2.0.4

Published

Native JWT validation without deps

Downloads

17

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

funkybobfunkybob

Keywords

Readme

Native JWT validation

Using nothing but what modern browsers provide, this package can decode and validate JWT, even those signed using RS256.

Supported Algorithms

  • HS256
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512

Verified Claims

  • aud
  • iss
  • exp
  • nbf

Note: RS algorithms only support keys in JWK format, currently.

Usage

import {decode, verify} from "@funkybob/jwt"

let jwt = decode(token);
let valid;
try {
    valid = await verify(jwt, options)
} catch(err) {
    valid = false;
};

Loading Keys

If you are using the RS family of signing algorithms, you will need to provide a map of kid to JWK objects (see https://tools.ietf.org/html/rfc7517).

If your issuer provides their JWK at well known URI ("/.well-known/jwks.json") you can use the "fetchKeys" function to retrieve them once. This returns a Promise:

options.keys = await fetchKeys('hostname.myissuer.com')

or

fetchKeys('hostname').then(keys => options.keys = keys);

Remember to not try to validate a token before this promise is resolved.

Errors

"Unsupported algorithm"

The 'alg' specified in the Header does not match that specified in options, or is not supported by this library.

"Unknown key"

The 'kid' specified in the Header could not be found in the list of known keys. If options.hostname was specified, the list of keys retrieved did not contain the matching kid.

"Invalid signature"

The signing algorithm returned a negative result.

"Unrecognised issuer"

The 'iss' field in the Message did not match that specified in options.

"Invalid audience"

The 'aud' specified in options was not found in the 'aud' list in the Message.

"Token has expired"

The tokens 'exp' claim is in the past.

"Token not yet valid"

The tokens 'nbf' claim is in the future.

Modules

verify

decode(token)

Decodes a JWT string into an Object:

  • header : the JSON decoded content of the header part of the token.
  • claims : the JSON decoded content of the claims part of the token.
  • signature : the signature from the token
  • parts : the token split by '.'
  • token : the original token string

async isValid(jwt, {alg, iss, aud, secret, keys})

  • alg: signature algorithm
  • aud: audience (Optional)
  • iss: issuer (Optional)
  • secret: secret for HS* algorithms
  • keys: map of {kid: jwt} for RS* algorithms

Check if a jwt is valid.

  • verifies header.typ is 'JWT'
  • verifies the algorithm matches what we accept.
  • verifies the signature matches
  • if an "iss" is specified, verify it matches.
  • if an "aud" is specified, verify it matches.
  • if the token claims an "exp", ensure it's after now.
  • if the token claims a "nbf", ensure it's before now.

keys

fetchKeys (hostname)

Fetches keys from https://${hostname}/.well-known/jwks.json, then assembles them into an Object by Key ID (kid).

crypto

function importKey (alg, key)

Imports the key matter as appropriate for the specified algorithm.

util

function b64d (v)

base64url decode 'v'

function b64e (v)

base64url encode 'v'

function str2bytes (v)

Converts 'v' from a String to a Uint8Array.

function bytes2str (v)

Converts 'v' from a Uint8Array to a String