JWT Utilities

JWT token verification and utility functions with JWKS caching.

Overview

Provides functions for verifying JWT signatures with JWKS, decoding tokens without verification, extracting user IDs, checking if a token is machine-to-machine, checking expiration, and determining if refresh is needed. JWKS keys are cached for 1 hour for optimal performance.

Basic Usage

import { verifyToken, decodeToken } from 'authsafe-express';

const decoded = decodeToken(token);
const payload = await verifyToken(
  token,
  process.env.AUTHSAFE_DOMAIN,
  process.env.AUTHSAFE_CLIENT_ID,
  decoded.org_id,
);

Best Practices

verifyToken() verifies signature (RS256), issuer, audience, expiration, and not-before claims
JWKS keys are cached for 1 hour with automatic refresh when expired
decodeToken() decodes JWT without verification — useful for extracting org ID before full verification

JWT Utilities

JWT token verification and utility functions with JWKS caching.

Overview

Basic Usage

import { verifyToken, decodeToken } from 'authsafe-express';

const decoded = decodeToken(token);
const payload = await verifyToken(
  token,
  process.env.AUTHSAFE_DOMAIN,
  process.env.AUTHSAFE_CLIENT_ID,
  decoded.org_id,
);

Best Practices

verifyToken() verifies signature (RS256), issuer, audience, expiration, and not-before claims
JWKS keys are cached for 1 hour with automatic refresh when expired
decodeToken() decodes JWT without verification — useful for extracting org ID before full verification