Package Exports
- @sourceregistry/node-jwt
Readme
๐ node-jwt
A minimal, secure, and production-ready JWT (JSON Web Token) library for Node.js with zero dependencies. Supports all standard signing algorithms (HMAC, RSA, ECDSA) and full claim validation.
โจ Why another JWT library?
Most JWT libraries are bloated, have security pitfalls, or lack proper TypeScript support. This library is:
- Tiny
- Secure by default (correct ECDSA/RSA encoding, time validation)
- TypeScript-first with full JSDoc
- No external dependencies
- 100% test coverage
๐ฆ Installation
npm install @sourceregistry/node-jwtRequires Node.js โฅ 16
๐ Quick Start
Sign a token
import { sign } from '@sourceregistry/node-jwt';
const token = sign(
{ sub: '1234567890', name: 'John Doe', iat: Math.floor(Date.now() / 1000) },
'your-secret-key',
{ alg: 'HS256' }
);Verify a token
import { verify } from '@sourceregistry/node-jwt';
const result = verify(token, 'your-secret-key');
if (result.valid) {
console.log('Payload:', result.payload);
} else {
console.error('JWT Error:', result.error.code, result.error.reason);
}Decode (unsafe โ no verification)
import { decode } from '@sourceregistry/node-jwt';
const { header, payload, signature } = decode(token);๐ Supported Algorithms
| Algorithm | Type | Secret Type |
|---|---|---|
HS256 |
HMAC | string | Buffer |
HS384 |
HMAC | string | Buffer |
HS512 |
HMAC | string | Buffer |
RS256 |
RSA | Private key (signing) Public key (verifying) |
RS384 |
RSA | Private key (signing) Public key (verifying) |
RS512 |
RSA | Private key (signing) Public key (verifying) |
ES256 |
ECDSA | Private key (signing) Public key (verifying) |
ES384 |
ECDSA | Private key (signing) Public key (verifying) |
ES512 |
ECDSA | Private key (signing) Public key (verifying) |
๐ก Note: RSA/ECDSA keys must be in PEM format or as Node.js
KeyObject.
๐ก๏ธ Security Features
- โ Correct ECDSA signatures (DER-encoded, not IEEE P1363)
- โ Strict algorithm validation (prevents algorithm confusion attacks)
- โ
Time claim validation (
exp,nbf,iat) with clock skew tolerance - โ
Type header enforcement (
typ: 'JWT') - โ No unsafe defaults
๐ API Reference
sign(payload, secret, options?)
Sign a JWT.
payload:JWTPayloadobjectsecret: Key for signing (type depends on algorithm)options:alg: Algorithm (default:'HS256')kid: Key IDtyp: Token type (default:'JWT')
Returns: string (JWT)
verify(token, secret, options?)
Verify and validate a JWT.
token: JWT stringsecret: Key for verificationoptions:ignoreExpiration: Skipexpcheck (default:false)clockSkew: Tolerance in seconds for time validation (default:0)
Returns:
| { valid: true; header: JWTHeader; payload: JWTPayload; signature: string }
| { valid: false; error: { reason: string; code: string } }Error Codes:
INVALID_TOKEN: Malformed token structureINVALID_ALGORITHM: Unsupported algorithmINVALID_TYPE: InvalidtypheaderINVALID_SIGNATURE: Signature mismatchTOKEN_EXPIRED:expclaim exceededTOKEN_NOT_ACTIVE:nbfclaim not reachedTOKEN_FUTURE_ISSUED:iatclaim in future
decode(token)
Decode a JWT without verification (use with caution!).
token: JWT string
Returns: { header, payload, signature }
Throws on malformed tokens.
๐งช Testing
This library has 100% test coverage with Vitest:
npm test
npm run test:coverageTests include:
- All algorithms (HMAC, RSA, ECDSA)
- Time validation edge cases
- Malformed token handling
- Signature verification
- Custom claims
๐ Contributing
PRs welcome! Please:
- Add tests for new features
- Maintain 100% coverage
- Follow existing code style
Found a security issue? Report it responsibly.