Examples

Each example is a complete, runnable walkthrough of a pattern you'll encounter in real systems. All code is production-shape (error handling, claim validation, key persistence notes included) — not toy snippets.

The examples

Authentication basics →

Sign a JWT on login, verify it on every protected request. Covers symmetric keys, expiresIn, audience/issuer binding, and the minimum viable auth setup.

Consuming a JWKS endpoint →

Verify tokens issued by a third party (your OAuth provider, Auth0, Okta, Entra, Keycloak, …). Fetch the JWK Set, cache it, and let verify() pick the right key by kid.

Refresh token pattern →

Short-lived JWS access tokens, long-lived JWE refresh tokens. Automatic refresh on access-token expiry via the H3 adapter's onExpire hook.

End-to-end encryption →

One-to-one and one-to-many E2EE with ECDH-ES. The fan-out (one token per recipient) and shared-ciphertext (one encryption, per-recipient wrapped keys) patterns both covered.

Signed receipts →

Multi-signature JWS for notarized documents, quorum approvals, and audit trails. Uses signMulti + verifyMultiAll with per-signer policy.

Request an example

Found a pattern you use that isn't here? Open a discussion with the use case — real-world examples are where this section grows.