Core ModulesJWT Module

JWT Module

Accessed via auth.jwt. Low-level token operations. Typically you won’t need this directly - auth.auth handles token issuance and rotation for you.

// Issue tokens manually
const accessToken = auth.jwt.issueAccessToken(user, sessionId);
const refreshToken = auth.jwt.issueRefreshToken(user, sessionId);
const { accessToken, refreshToken } = auth.jwt.issueTokenPair(user, sessionId);
 
// Verify (throws on invalid, expired, or wrong token type)
const payload = auth.jwt.verifyAccessToken(token);
const payload = auth.jwt.verifyRefreshToken(token);
 
// Decode without verifying (e.g. read `sub` from an expired token)
const payload = auth.jwt.decode(token); // returns null if unparseable

Methods

MethodSignatureNotes
issueAccessToken(user: User, sessionId?: string) => stringEmbeds email, role, sessionId, type: "access", and any extraClaims.
issueRefreshToken(user: User, sessionId?: string) => stringMinimal payload: sub, sessionId, type: "refresh".
issueTokenPair(user: User, sessionId?: string) => TokenPairBoth of the above.
verifyAccessToken(token: string) => TokenPayloadThrows if the token isn’t an access token.
verifyRefreshToken(token: string) => TokenPayloadThrows if the token isn’t a refresh token.
decode(token: string) => TokenPayload | nullNo signature check.
⚠️

verifyAccessToken / verifyRefreshToken throw TokenTypeError if you pass the wrong kind of token, and jsonwebtoken’s JsonWebTokenError / TokenExpiredError for invalid signatures or expiry. See Error Handling.

Asymmetric keys (RS256)

Set jwt.algorithm and pass the appropriate key as jwt.secret:

const auth = createAuth({
  jwt: {
    secret: fs.readFileSync("private.pem", "utf8"),
    algorithm: "RS256",
  },
});