[{"data":1,"prerenderedAt":1740},["ShallowReactive",2],{"navigation":3,"-examples-refresh-token-pattern":167,"-examples-refresh-token-pattern-surround":1737},[4,22,78,106,141,148],{"title":5,"path":6,"stem":7,"children":8},"Introduction","\u002Fgetting-started","0.Getting-Started\u002F0.index",[9,10,14,18],{"title":5,"path":6,"stem":7},{"title":11,"path":12,"stem":13},"Installation","\u002Fgetting-started\u002Finstallation","0.Getting-Started\u002F1.installation",{"title":15,"path":16,"stem":17},"Quickstart","\u002Fgetting-started\u002Fquickstart","0.Getting-Started\u002F2.quickstart",{"title":19,"path":20,"stem":21},"Core concepts","\u002Fgetting-started\u002Fcore-concepts","0.Getting-Started\u002F3.core-concepts",{"title":23,"path":24,"stem":25,"children":26,"icon":28},"JWT","\u002Fjwt","1.JWT\u002F0.index",[27,29,52],{"title":23,"path":24,"stem":25,"icon":28},"i-carbon-certificate",{"title":30,"path":31,"stem":32,"children":33,"icon":35},"JWS","\u002Fjwt\u002Fjws","1.JWT\u002F1.JWS\u002F0.index",[34,36,40,44,48],{"title":30,"path":31,"stem":32,"icon":35},"i-carbon-document-signed",{"title":37,"path":38,"stem":39},"Signing","\u002Fjwt\u002Fjws\u002Fsigning","1.JWT\u002F1.JWS\u002F1.signing",{"title":41,"path":42,"stem":43},"Verifying","\u002Fjwt\u002Fjws\u002Fverifying","1.JWT\u002F1.JWS\u002F2.verifying",{"title":45,"path":46,"stem":47},"Multi-signature","\u002Fjwt\u002Fjws\u002Fmulti-signature","1.JWT\u002F1.JWS\u002F3.multi-signature",{"title":49,"path":50,"stem":51},"Algorithms","\u002Fjwt\u002Fjws\u002Falgorithms","1.JWT\u002F1.JWS\u002F4.algorithms",{"title":53,"path":54,"stem":55,"children":56,"icon":58},"JWE","\u002Fjwt\u002Fjwe","1.JWT\u002F2.JWE\u002F0.index",[57,59,63,67,71,75],{"title":53,"path":54,"stem":55,"icon":58},"i-carbon-locked",{"title":60,"path":61,"stem":62},"Encrypting","\u002Fjwt\u002Fjwe\u002Fencrypting","1.JWT\u002F2.JWE\u002F1.encrypting",{"title":64,"path":65,"stem":66},"Decrypting","\u002Fjwt\u002Fjwe\u002Fdecrypting","1.JWT\u002F2.JWE\u002F2.decrypting",{"title":68,"path":69,"stem":70},"Multi-recipient","\u002Fjwt\u002Fjwe\u002Fmulti-recipient","1.JWT\u002F2.JWE\u002F3.multi-recipient",{"title":72,"path":73,"stem":74},"ECDH-ES and end-to-end encryption","\u002Fjwt\u002Fjwe\u002Fecdh-es","1.JWT\u002F2.JWE\u002F4.ecdh-es",{"title":49,"path":76,"stem":77},"\u002Fjwt\u002Fjwe\u002Falgorithms","1.JWT\u002F2.JWE\u002F5.algorithms",{"title":79,"path":80,"stem":81,"children":82,"icon":84},"Examples","\u002Fexamples","10.Examples\u002F0.index",[83,85,90,94,98,102],{"title":79,"path":80,"stem":81,"icon":84},"i-carbon-code-reference",{"title":86,"path":87,"stem":88,"icon":89},"Authentication basics","\u002Fexamples\u002Fauthentication-basics","10.Examples\u002F1.authentication-basics","i-lucide-code",{"title":91,"path":92,"stem":93,"icon":89},"Consuming a JWKS endpoint","\u002Fexamples\u002Fjwks-endpoint","10.Examples\u002F2.jwks-endpoint",{"title":95,"path":96,"stem":97,"icon":89},"Refresh token pattern","\u002Fexamples\u002Frefresh-token-pattern","10.Examples\u002F3.refresh-token-pattern",{"title":99,"path":100,"stem":101,"icon":89},"End-to-end encryption","\u002Fexamples\u002Fend-to-end-encryption","10.Examples\u002F4.end-to-end-encryption",{"title":103,"path":104,"stem":105,"icon":89},"Signed receipts","\u002Fexamples\u002Fsigned-receipts","10.Examples\u002F5.signed-receipts",{"title":107,"path":108,"stem":109,"children":110,"icon":112},"JWK","\u002Fjwk","2.JWK\u002F0.index",[111,113,117,121,125,129,133,137],{"title":107,"path":108,"stem":109,"icon":112},"i-carbon-two-factor-authentication",{"title":114,"path":115,"stem":116},"Generating keys","\u002Fjwk\u002Fgenerating","2.JWK\u002F1.generating",{"title":118,"path":119,"stem":120},"Importing and exporting","\u002Fjwk\u002Fimport-export","2.JWK\u002F2.import-export",{"title":122,"path":123,"stem":124},"PEM conversion","\u002Fjwk\u002Fpem","2.JWK\u002F3.pem",{"title":126,"path":127,"stem":128},"Key wrapping","\u002Fjwk\u002Fwrapping","2.JWK\u002F4.wrapping",{"title":130,"path":131,"stem":132},"Password derivation","\u002Fjwk\u002Fpassword-derivation","2.JWK\u002F5.password-derivation",{"title":134,"path":135,"stem":136},"JWK Sets","\u002Fjwk\u002Fjwk-sets","2.JWK\u002F6.jwk-sets",{"title":138,"path":139,"stem":140},"JWK cache","\u002Fjwk\u002Fcache","2.JWK\u002F7.cache",{"title":142,"path":143,"stem":144,"children":145,"icon":147},"Utilities","\u002Futilities","3.Utilities\u002F0.index",[146],{"title":142,"path":143,"stem":144,"icon":147},"i-carbon-tool-box",{"title":149,"path":150,"stem":151,"children":152,"icon":154},"Adapters","\u002Fadapters","99.Adapters\u002F0.index",[153,155,159,163],{"title":149,"path":150,"stem":151,"icon":154},"i-carbon-plug",{"title":156,"path":157,"stem":158},"H3 sessions","\u002Fadapters\u002Fh3-sessions","99.Adapters\u002F1.h3-sessions",{"title":160,"path":161,"stem":162},"Lifecycle hooks","\u002Fadapters\u002Fhooks","99.Adapters\u002F2.hooks",{"title":164,"path":165,"stem":166},"Lower-level functions","\u002Fadapters\u002Flower-level","99.Adapters\u002F3.lower-level",{"id":168,"title":95,"body":169,"description":244,"extension":1732,"meta":1733,"navigation":1734,"path":96,"seo":1735,"stem":97,"__hash__":1736},"content\u002F10.Examples\u002F3.refresh-token-pattern.md",{"type":170,"value":171,"toc":1723,"icon":89},"minimark",[172,185,188,204,216,232,237,664,671,698,702,1121,1136,1140,1143,1242,1245,1276,1280,1384,1387,1391,1394,1481,1492,1499,1503,1516,1693,1697,1719],[173,174,175,176,180,181,184],"p",{},"A common auth design: ",[177,178,179],"strong",{},"short-lived access tokens"," (minutes) for day-to-day calls, plus ",[177,182,183],{},"long-lived refresh tokens"," (days or weeks) that can mint new access tokens when the old one expires.",[173,186,187],{},"The shapes are deliberately different:",[189,190,191,198],"ul",{},[192,193,194,197],"li",{},[177,195,196],{},"Access tokens"," are JWS — readable by the client (useful for UI: show \"my profile\" based on the payload), fast to verify.",[192,199,200,203],{},[177,201,202],{},"Refresh tokens"," are JWE — the client holds them but can't inspect them; only your server can decrypt.",[173,205,206,207,211,212,215],{},"This example uses the H3 v2 session adapter so refresh is automatic on access-token expiry. If you're not using H3, the same pattern works — just call the lower-level ",[208,209,210],"code",{},"getJWESession"," \u002F ",[208,213,214],{},"updateJWSSession"," helpers manually.",[217,218,219],"note",{},[173,220,221,222,231],{},"Full source (a slightly different version of this) lives in the repo playground: ",[223,224,228],"a",{"href":225,"rel":226},"https:\u002F\u002Fgithub.com\u002Fsandros94\u002Funjwt\u002Fblob\u002Fmain\u002Fplayground\u002Fmain.ts",[227],"nofollow",[208,229,230],{},"playground\u002Fmain.ts",".",[233,234,236],"h2",{"id":235},"setup","Setup",[238,239,245],"pre",{"className":240,"code":241,"filename":242,"language":243,"meta":244,"style":244},"language-ts shiki shiki-themes github-light github-dark github-dark","import type { JWTClaims, SessionConfigJWE, SessionConfigJWS } from \"unjwt\u002Fadapters\u002Fh3v2\";\nimport { generateJWK } from \"unjwt\u002Fadapters\u002Fh3v2\";\n\n\u002F\u002F Access-token signing key (persist between deploys!)\nconst accessKey = await generateJWK(\"RS256\", { kid: \"at-2025\" });\n\n\u002F\u002F Refresh-token encryption is password-based for simplicity\nconst refreshConfig = {\n  key: process.env.REFRESH_SECRET!, \u002F\u002F a long random string\n  name: \"refresh_token\",\n  maxAge: \"7D\",\n  cookie: { httpOnly: true, secure: true, sameSite: \"lax\" },\n} satisfies SessionConfigJWE;\n\nconst accessConfig = {\n  key: accessKey,\n  name: \"access_token\",\n  maxAge: \"15m\",\n  cookie: { httpOnly: false, secure: true, sameSite: \"lax\" },\n  hooks: {\n    async onExpire({ event, config }) {\n      \u002F\u002F Access token just expired — try to mint a new one from the refresh token\n      const refresh = await getJWESession(event, refreshConfig);\n      if (!refresh.data.sub) return; \u002F\u002F no valid refresh session → stay logged out\n\n      console.info(\"Access token expired, rotating…\");\n      await updateJWSSession(event, config, {\n        sub: refresh.data.sub,\n        scope: refresh.data.scope,\n      });\n    },\n  },\n} satisfies SessionConfigJWS\u003CJWTClaims, \"15m\">;\n","config.ts","ts","",[208,246,247,273,287,294,301,336,341,347,360,378,390,401,424,438,443,455,461,471,481,499,505,529,535,554,577,582,599,611,617,623,629,635,641],{"__ignoreMap":244},[248,249,252,256,259,263,266,270],"span",{"class":250,"line":251},"line",1,[248,253,255],{"class":254},"so5gQ","import",[248,257,258],{"class":254}," type",[248,260,262],{"class":261},"slsVL"," { JWTClaims, SessionConfigJWE, SessionConfigJWS } ",[248,264,265],{"class":254},"from",[248,267,269],{"class":268},"sfrk1"," \"unjwt\u002Fadapters\u002Fh3v2\"",[248,271,272],{"class":261},";\n",[248,274,276,278,281,283,285],{"class":250,"line":275},2,[248,277,255],{"class":254},[248,279,280],{"class":261}," { generateJWK } ",[248,282,265],{"class":254},[248,284,269],{"class":268},[248,286,272],{"class":261},[248,288,290],{"class":250,"line":289},3,[248,291,293],{"emptyLinePlaceholder":292},true,"\n",[248,295,297],{"class":250,"line":296},4,[248,298,300],{"class":299},"sCsY4","\u002F\u002F Access-token signing key (persist between deploys!)\n",[248,302,304,307,311,314,317,321,324,327,330,333],{"class":250,"line":303},5,[248,305,306],{"class":254},"const",[248,308,310],{"class":309},"suiK_"," accessKey",[248,312,313],{"class":254}," =",[248,315,316],{"class":254}," await",[248,318,320],{"class":319},"shcOC"," generateJWK",[248,322,323],{"class":261},"(",[248,325,326],{"class":268},"\"RS256\"",[248,328,329],{"class":261},", { kid: ",[248,331,332],{"class":268},"\"at-2025\"",[248,334,335],{"class":261}," });\n",[248,337,339],{"class":250,"line":338},6,[248,340,293],{"emptyLinePlaceholder":292},[248,342,344],{"class":250,"line":343},7,[248,345,346],{"class":299},"\u002F\u002F Refresh-token encryption is password-based for simplicity\n",[248,348,350,352,355,357],{"class":250,"line":349},8,[248,351,306],{"class":254},[248,353,354],{"class":309}," refreshConfig",[248,356,313],{"class":254},[248,358,359],{"class":261}," {\n",[248,361,363,366,369,372,375],{"class":250,"line":362},9,[248,364,365],{"class":261},"  key: process.env.",[248,367,368],{"class":309},"REFRESH_SECRET",[248,370,371],{"class":254},"!",[248,373,374],{"class":261},", ",[248,376,377],{"class":299},"\u002F\u002F a long random string\n",[248,379,381,384,387],{"class":250,"line":380},10,[248,382,383],{"class":261},"  name: ",[248,385,386],{"class":268},"\"refresh_token\"",[248,388,389],{"class":261},",\n",[248,391,393,396,399],{"class":250,"line":392},11,[248,394,395],{"class":261},"  maxAge: ",[248,397,398],{"class":268},"\"7D\"",[248,400,389],{"class":261},[248,402,404,407,410,413,415,418,421],{"class":250,"line":403},12,[248,405,406],{"class":261},"  cookie: { httpOnly: ",[248,408,409],{"class":309},"true",[248,411,412],{"class":261},", secure: ",[248,414,409],{"class":309},[248,416,417],{"class":261},", sameSite: ",[248,419,420],{"class":268},"\"lax\"",[248,422,423],{"class":261}," },\n",[248,425,427,430,433,436],{"class":250,"line":426},13,[248,428,429],{"class":261},"} ",[248,431,432],{"class":254},"satisfies",[248,434,435],{"class":319}," SessionConfigJWE",[248,437,272],{"class":261},[248,439,441],{"class":250,"line":440},14,[248,442,293],{"emptyLinePlaceholder":292},[248,444,446,448,451,453],{"class":250,"line":445},15,[248,447,306],{"class":254},[248,449,450],{"class":309}," accessConfig",[248,452,313],{"class":254},[248,454,359],{"class":261},[248,456,458],{"class":250,"line":457},16,[248,459,460],{"class":261},"  key: accessKey,\n",[248,462,464,466,469],{"class":250,"line":463},17,[248,465,383],{"class":261},[248,467,468],{"class":268},"\"access_token\"",[248,470,389],{"class":261},[248,472,474,476,479],{"class":250,"line":473},18,[248,475,395],{"class":261},[248,477,478],{"class":268},"\"15m\"",[248,480,389],{"class":261},[248,482,484,486,489,491,493,495,497],{"class":250,"line":483},19,[248,485,406],{"class":261},[248,487,488],{"class":309},"false",[248,490,412],{"class":261},[248,492,409],{"class":309},[248,494,417],{"class":261},[248,496,420],{"class":268},[248,498,423],{"class":261},[248,500,502],{"class":250,"line":501},20,[248,503,504],{"class":261},"  hooks: {\n",[248,506,508,511,514,517,521,523,526],{"class":250,"line":507},21,[248,509,510],{"class":254},"    async",[248,512,513],{"class":319}," onExpire",[248,515,516],{"class":261},"({ ",[248,518,520],{"class":519},"sQHwn","event",[248,522,374],{"class":261},[248,524,525],{"class":519},"config",[248,527,528],{"class":261}," }) {\n",[248,530,532],{"class":250,"line":531},22,[248,533,534],{"class":299},"      \u002F\u002F Access token just expired — try to mint a new one from the refresh token\n",[248,536,538,541,544,546,548,551],{"class":250,"line":537},23,[248,539,540],{"class":254},"      const",[248,542,543],{"class":309}," refresh",[248,545,313],{"class":254},[248,547,316],{"class":254},[248,549,550],{"class":319}," getJWESession",[248,552,553],{"class":261},"(event, refreshConfig);\n",[248,555,557,560,563,565,568,571,574],{"class":250,"line":556},24,[248,558,559],{"class":254},"      if",[248,561,562],{"class":261}," (",[248,564,371],{"class":254},[248,566,567],{"class":261},"refresh.data.sub) ",[248,569,570],{"class":254},"return",[248,572,573],{"class":261},"; ",[248,575,576],{"class":299},"\u002F\u002F no valid refresh session → stay logged out\n",[248,578,580],{"class":250,"line":579},25,[248,581,293],{"emptyLinePlaceholder":292},[248,583,585,588,591,593,596],{"class":250,"line":584},26,[248,586,587],{"class":261},"      console.",[248,589,590],{"class":319},"info",[248,592,323],{"class":261},[248,594,595],{"class":268},"\"Access token expired, rotating…\"",[248,597,598],{"class":261},");\n",[248,600,602,605,608],{"class":250,"line":601},27,[248,603,604],{"class":254},"      await",[248,606,607],{"class":319}," updateJWSSession",[248,609,610],{"class":261},"(event, config, {\n",[248,612,614],{"class":250,"line":613},28,[248,615,616],{"class":261},"        sub: refresh.data.sub,\n",[248,618,620],{"class":250,"line":619},29,[248,621,622],{"class":261},"        scope: refresh.data.scope,\n",[248,624,626],{"class":250,"line":625},30,[248,627,628],{"class":261},"      });\n",[248,630,632],{"class":250,"line":631},31,[248,633,634],{"class":261},"    },\n",[248,636,638],{"class":250,"line":637},32,[248,639,640],{"class":261},"  },\n",[248,642,644,646,648,651,654,657,659,661],{"class":250,"line":643},33,[248,645,429],{"class":261},[248,647,432],{"class":254},[248,649,650],{"class":319}," SessionConfigJWS",[248,652,653],{"class":261},"\u003C",[248,655,656],{"class":319},"JWTClaims",[248,658,374],{"class":261},[248,660,478],{"class":268},[248,662,663],{"class":261},">;\n",[173,665,666,667,670],{},"The ",[208,668,669],{},"onExpire"," hook is where the magic lives. When a request comes in with an expired access token, unjwt:",[672,673,675,689,695],"steps",{"level":674},"4",[676,677,678,679,681,682,681,685,688],"h4",{},"Fires ",[208,680,669],{}," ",[177,683,684],{},"instead of",[208,686,687],{},"onRead"," (they're mutually exclusive).",[676,690,691,692,694],{},"Your hook reads the refresh session, confirms it's valid, and calls ",[208,693,214],{}," to mint a fresh access token.",[676,696,697],{},"The new token is set in the response cookies automatically — the client gets it on the same response.",[233,699,701],{"id":700},"login-mint-both-tokens","Login — mint both tokens",[238,703,706],{"className":240,"code":704,"filename":705,"language":243,"meta":244,"style":244},"import { H3, HTTPError } from \"h3\";\nimport { useJWESession, useJWSSession } from \"unjwt\u002Fadapters\u002Fh3v2\";\n\nconst app = new H3();\n\napp.post(\"\u002Flogin\", async (event) => {\n  const refreshSession = await useJWESession(event, refreshConfig);\n  const accessSession = await useJWSSession(event, accessConfig);\n\n  \u002F\u002F Already logged in? Return current state.\n  if (accessSession.data.sub) {\n    return {\n      access: accessSession.data,\n      refresh: refreshSession.data,\n    };\n  }\n\n  const { username, password } = (await event.req.json()) as {\n    username?: string;\n    password?: string;\n  };\n  if (!username || !password) {\n    throw new HTTPError(\"Username and password required\", { status: 400 });\n  }\n\n  \u002F\u002F TODO: validate against your user store\n  const user = await validateCredentials(username, password);\n  if (!user) throw new HTTPError(\"Invalid credentials\", { status: 401 });\n\n  const claims = { sub: user.id, scope: user.scopes.join(\" \") };\n\n  await refreshSession.update(claims);\n  await accessSession.update(claims);\n\n  return { access: accessSession.data, refresh: refreshSession.data };\n});\n","login.ts",[208,707,708,722,735,739,757,761,791,808,825,829,834,842,849,854,859,864,869,873,913,926,937,942,962,985,989,993,998,1015,1045,1049,1072,1076,1090,1101,1106,1115],{"__ignoreMap":244},[248,709,710,712,715,717,720],{"class":250,"line":251},[248,711,255],{"class":254},[248,713,714],{"class":261}," { H3, HTTPError } ",[248,716,265],{"class":254},[248,718,719],{"class":268}," \"h3\"",[248,721,272],{"class":261},[248,723,724,726,729,731,733],{"class":250,"line":275},[248,725,255],{"class":254},[248,727,728],{"class":261}," { useJWESession, useJWSSession } ",[248,730,265],{"class":254},[248,732,269],{"class":268},[248,734,272],{"class":261},[248,736,737],{"class":250,"line":289},[248,738,293],{"emptyLinePlaceholder":292},[248,740,741,743,746,748,751,754],{"class":250,"line":296},[248,742,306],{"class":254},[248,744,745],{"class":309}," app",[248,747,313],{"class":254},[248,749,750],{"class":254}," new",[248,752,753],{"class":319}," H3",[248,755,756],{"class":261},"();\n",[248,758,759],{"class":250,"line":303},[248,760,293],{"emptyLinePlaceholder":292},[248,762,763,766,769,771,774,776,779,781,783,786,789],{"class":250,"line":338},[248,764,765],{"class":261},"app.",[248,767,768],{"class":319},"post",[248,770,323],{"class":261},[248,772,773],{"class":268},"\"\u002Flogin\"",[248,775,374],{"class":261},[248,777,778],{"class":254},"async",[248,780,562],{"class":261},[248,782,520],{"class":519},[248,784,785],{"class":261},") ",[248,787,788],{"class":254},"=>",[248,790,359],{"class":261},[248,792,793,796,799,801,803,806],{"class":250,"line":343},[248,794,795],{"class":254},"  const",[248,797,798],{"class":309}," refreshSession",[248,800,313],{"class":254},[248,802,316],{"class":254},[248,804,805],{"class":319}," useJWESession",[248,807,553],{"class":261},[248,809,810,812,815,817,819,822],{"class":250,"line":349},[248,811,795],{"class":254},[248,813,814],{"class":309}," accessSession",[248,816,313],{"class":254},[248,818,316],{"class":254},[248,820,821],{"class":319}," useJWSSession",[248,823,824],{"class":261},"(event, accessConfig);\n",[248,826,827],{"class":250,"line":362},[248,828,293],{"emptyLinePlaceholder":292},[248,830,831],{"class":250,"line":380},[248,832,833],{"class":299},"  \u002F\u002F Already logged in? Return current state.\n",[248,835,836,839],{"class":250,"line":392},[248,837,838],{"class":254},"  if",[248,840,841],{"class":261}," (accessSession.data.sub) {\n",[248,843,844,847],{"class":250,"line":403},[248,845,846],{"class":254},"    return",[248,848,359],{"class":261},[248,850,851],{"class":250,"line":426},[248,852,853],{"class":261},"      access: accessSession.data,\n",[248,855,856],{"class":250,"line":440},[248,857,858],{"class":261},"      refresh: refreshSession.data,\n",[248,860,861],{"class":250,"line":445},[248,862,863],{"class":261},"    };\n",[248,865,866],{"class":250,"line":457},[248,867,868],{"class":261},"  }\n",[248,870,871],{"class":250,"line":463},[248,872,293],{"emptyLinePlaceholder":292},[248,874,875,877,880,883,885,888,891,894,896,899,902,905,908,911],{"class":250,"line":473},[248,876,795],{"class":254},[248,878,879],{"class":261}," { ",[248,881,882],{"class":309},"username",[248,884,374],{"class":261},[248,886,887],{"class":309},"password",[248,889,890],{"class":261}," } ",[248,892,893],{"class":254},"=",[248,895,562],{"class":261},[248,897,898],{"class":254},"await",[248,900,901],{"class":261}," event.req.",[248,903,904],{"class":319},"json",[248,906,907],{"class":261},"()) ",[248,909,910],{"class":254},"as",[248,912,359],{"class":261},[248,914,915,918,921,924],{"class":250,"line":483},[248,916,917],{"class":519},"    username",[248,919,920],{"class":254},"?:",[248,922,923],{"class":309}," string",[248,925,272],{"class":261},[248,927,928,931,933,935],{"class":250,"line":501},[248,929,930],{"class":519},"    password",[248,932,920],{"class":254},[248,934,923],{"class":309},[248,936,272],{"class":261},[248,938,939],{"class":250,"line":507},[248,940,941],{"class":261},"  };\n",[248,943,944,946,948,950,953,956,959],{"class":250,"line":531},[248,945,838],{"class":254},[248,947,562],{"class":261},[248,949,371],{"class":254},[248,951,952],{"class":261},"username ",[248,954,955],{"class":254},"||",[248,957,958],{"class":254}," !",[248,960,961],{"class":261},"password) {\n",[248,963,964,967,969,972,974,977,980,983],{"class":250,"line":537},[248,965,966],{"class":254},"    throw",[248,968,750],{"class":254},[248,970,971],{"class":319}," HTTPError",[248,973,323],{"class":261},[248,975,976],{"class":268},"\"Username and password required\"",[248,978,979],{"class":261},", { status: ",[248,981,982],{"class":309},"400",[248,984,335],{"class":261},[248,986,987],{"class":250,"line":556},[248,988,868],{"class":261},[248,990,991],{"class":250,"line":579},[248,992,293],{"emptyLinePlaceholder":292},[248,994,995],{"class":250,"line":584},[248,996,997],{"class":299},"  \u002F\u002F TODO: validate against your user store\n",[248,999,1000,1002,1005,1007,1009,1012],{"class":250,"line":601},[248,1001,795],{"class":254},[248,1003,1004],{"class":309}," user",[248,1006,313],{"class":254},[248,1008,316],{"class":254},[248,1010,1011],{"class":319}," validateCredentials",[248,1013,1014],{"class":261},"(username, password);\n",[248,1016,1017,1019,1021,1023,1026,1029,1031,1033,1035,1038,1040,1043],{"class":250,"line":613},[248,1018,838],{"class":254},[248,1020,562],{"class":261},[248,1022,371],{"class":254},[248,1024,1025],{"class":261},"user) ",[248,1027,1028],{"class":254},"throw",[248,1030,750],{"class":254},[248,1032,971],{"class":319},[248,1034,323],{"class":261},[248,1036,1037],{"class":268},"\"Invalid credentials\"",[248,1039,979],{"class":261},[248,1041,1042],{"class":309},"401",[248,1044,335],{"class":261},[248,1046,1047],{"class":250,"line":619},[248,1048,293],{"emptyLinePlaceholder":292},[248,1050,1051,1053,1056,1058,1061,1064,1066,1069],{"class":250,"line":625},[248,1052,795],{"class":254},[248,1054,1055],{"class":309}," claims",[248,1057,313],{"class":254},[248,1059,1060],{"class":261}," { sub: user.id, scope: user.scopes.",[248,1062,1063],{"class":319},"join",[248,1065,323],{"class":261},[248,1067,1068],{"class":268},"\" \"",[248,1070,1071],{"class":261},") };\n",[248,1073,1074],{"class":250,"line":631},[248,1075,293],{"emptyLinePlaceholder":292},[248,1077,1078,1081,1084,1087],{"class":250,"line":637},[248,1079,1080],{"class":254},"  await",[248,1082,1083],{"class":261}," refreshSession.",[248,1085,1086],{"class":319},"update",[248,1088,1089],{"class":261},"(claims);\n",[248,1091,1092,1094,1097,1099],{"class":250,"line":643},[248,1093,1080],{"class":254},[248,1095,1096],{"class":261}," accessSession.",[248,1098,1086],{"class":319},[248,1100,1089],{"class":261},[248,1102,1104],{"class":250,"line":1103},34,[248,1105,293],{"emptyLinePlaceholder":292},[248,1107,1109,1112],{"class":250,"line":1108},35,[248,1110,1111],{"class":254},"  return",[248,1113,1114],{"class":261}," { access: accessSession.data, refresh: refreshSession.data };\n",[248,1116,1118],{"class":250,"line":1117},36,[248,1119,1120],{"class":261},"});\n",[173,1122,1123,1124,1127,1128,1131,1132,1135],{},"Both sessions are ",[177,1125,1126],{},"lazy",": calling ",[208,1129,1130],{},"useJWESession"," doesn't set a cookie. Only ",[208,1133,1134],{},"session.update()"," actually materializes the token and sets the cookie.",[233,1137,1139],{"id":1138},"protected-route","Protected route",[173,1141,1142],{},"Once logged in, every request with both cookies is handled automatically:",[238,1144,1147],{"className":240,"code":1145,"filename":1146,"language":243,"meta":244,"style":244},"app.get(\"\u002Fprofile\", async (event) => {\n  const accessSession = await useJWSSession(event, accessConfig);\n\n  if (!accessSession.data.sub) {\n    throw new HTTPError(\"Not authenticated\", { status: 401 });\n  }\n\n  return { userId: accessSession.data.sub, scope: accessSession.data.scope };\n});\n","profile.ts",[208,1148,1149,1175,1189,1193,1204,1223,1227,1231,1238],{"__ignoreMap":244},[248,1150,1151,1153,1156,1158,1161,1163,1165,1167,1169,1171,1173],{"class":250,"line":251},[248,1152,765],{"class":261},[248,1154,1155],{"class":319},"get",[248,1157,323],{"class":261},[248,1159,1160],{"class":268},"\"\u002Fprofile\"",[248,1162,374],{"class":261},[248,1164,778],{"class":254},[248,1166,562],{"class":261},[248,1168,520],{"class":519},[248,1170,785],{"class":261},[248,1172,788],{"class":254},[248,1174,359],{"class":261},[248,1176,1177,1179,1181,1183,1185,1187],{"class":250,"line":275},[248,1178,795],{"class":254},[248,1180,814],{"class":309},[248,1182,313],{"class":254},[248,1184,316],{"class":254},[248,1186,821],{"class":319},[248,1188,824],{"class":261},[248,1190,1191],{"class":250,"line":289},[248,1192,293],{"emptyLinePlaceholder":292},[248,1194,1195,1197,1199,1201],{"class":250,"line":296},[248,1196,838],{"class":254},[248,1198,562],{"class":261},[248,1200,371],{"class":254},[248,1202,1203],{"class":261},"accessSession.data.sub) {\n",[248,1205,1206,1208,1210,1212,1214,1217,1219,1221],{"class":250,"line":303},[248,1207,966],{"class":254},[248,1209,750],{"class":254},[248,1211,971],{"class":319},[248,1213,323],{"class":261},[248,1215,1216],{"class":268},"\"Not authenticated\"",[248,1218,979],{"class":261},[248,1220,1042],{"class":309},[248,1222,335],{"class":261},[248,1224,1225],{"class":250,"line":338},[248,1226,868],{"class":261},[248,1228,1229],{"class":250,"line":343},[248,1230,293],{"emptyLinePlaceholder":292},[248,1232,1233,1235],{"class":250,"line":349},[248,1234,1111],{"class":254},[248,1236,1237],{"class":261}," { userId: accessSession.data.sub, scope: accessSession.data.scope };\n",[248,1239,1240],{"class":250,"line":362},[248,1241,1120],{"class":261},[173,1243,1244],{},"If the access-token cookie is:",[189,1246,1247,1257,1268],{},[192,1248,1249,1252,1253,1256],{},[177,1250,1251],{},"Valid"," → ",[208,1254,1255],{},"accessSession.data"," is populated from the token.",[192,1258,1259,1252,1262,1264,1265,1267],{},[177,1260,1261],{},"Expired",[208,1263,669],{}," runs, (attempts a) refresh, and ",[208,1266,1255],{}," is populated from the new token. The client receives a new cookie.",[192,1269,1270,1252,1273,1275],{},[177,1271,1272],{},"Invalid \u002F missing",[208,1274,1255],{}," is empty; your handler throws 401 as normal.",[233,1277,1279],{"id":1278},"logout-clear-both","Logout — clear both",[238,1281,1284],{"className":240,"code":1282,"filename":1283,"language":243,"meta":244,"style":244},"app.post(\"\u002Flogout\", async (event) => {\n  const refreshSession = await useJWESession(event, refreshConfig);\n  const accessSession = await useJWSSession(event, accessConfig);\n\n  await accessSession.clear();\n  await refreshSession.clear();\n\n  return { ok: true };\n});\n","logout.ts",[208,1285,1286,1311,1325,1339,1343,1354,1364,1368,1380],{"__ignoreMap":244},[248,1287,1288,1290,1292,1294,1297,1299,1301,1303,1305,1307,1309],{"class":250,"line":251},[248,1289,765],{"class":261},[248,1291,768],{"class":319},[248,1293,323],{"class":261},[248,1295,1296],{"class":268},"\"\u002Flogout\"",[248,1298,374],{"class":261},[248,1300,778],{"class":254},[248,1302,562],{"class":261},[248,1304,520],{"class":519},[248,1306,785],{"class":261},[248,1308,788],{"class":254},[248,1310,359],{"class":261},[248,1312,1313,1315,1317,1319,1321,1323],{"class":250,"line":275},[248,1314,795],{"class":254},[248,1316,798],{"class":309},[248,1318,313],{"class":254},[248,1320,316],{"class":254},[248,1322,805],{"class":319},[248,1324,553],{"class":261},[248,1326,1327,1329,1331,1333,1335,1337],{"class":250,"line":289},[248,1328,795],{"class":254},[248,1330,814],{"class":309},[248,1332,313],{"class":254},[248,1334,316],{"class":254},[248,1336,821],{"class":319},[248,1338,824],{"class":261},[248,1340,1341],{"class":250,"line":296},[248,1342,293],{"emptyLinePlaceholder":292},[248,1344,1345,1347,1349,1352],{"class":250,"line":303},[248,1346,1080],{"class":254},[248,1348,1096],{"class":261},[248,1350,1351],{"class":319},"clear",[248,1353,756],{"class":261},[248,1355,1356,1358,1360,1362],{"class":250,"line":338},[248,1357,1080],{"class":254},[248,1359,1083],{"class":261},[248,1361,1351],{"class":319},[248,1363,756],{"class":261},[248,1365,1366],{"class":250,"line":343},[248,1367,293],{"emptyLinePlaceholder":292},[248,1369,1370,1372,1375,1377],{"class":250,"line":349},[248,1371,1111],{"class":254},[248,1373,1374],{"class":261}," { ok: ",[248,1376,409],{"class":309},[248,1378,1379],{"class":261}," };\n",[248,1381,1382],{"class":250,"line":362},[248,1383,1120],{"class":261},[173,1385,1386],{},"Both cookies are expired on the response. On subsequent requests, neither session will have data.",[233,1388,1390],{"id":1389},"rotating-keys-without-downtime","Rotating keys without downtime",[173,1392,1393],{},"Because access tokens are signed (JWS), you can add key-rotation to the access config:",[238,1395,1398],{"className":240,"code":1396,"filename":1397,"language":243,"meta":244,"style":244},"const keys = { keys: [currentAccessKey, previousAccessKey] }; \u002F\u002F JWKSet\n\nconst accessConfig = {\n  key: currentAccessKey, \u002F\u002F always sign with current\n  \u002F\u002F Ignore the overload: the verify path uses the hook below\n  hooks: {\n    onVerifyKeyLookup: () => keys, \u002F\u002F verification tries both keys\n  },\n  \u002F\u002F ...\n} satisfies SessionConfigJWS;\n","rotation.ts",[208,1399,1400,1415,1419,1429,1437,1442,1446,1462,1466,1471],{"__ignoreMap":244},[248,1401,1402,1404,1407,1409,1412],{"class":250,"line":251},[248,1403,306],{"class":254},[248,1405,1406],{"class":309}," keys",[248,1408,313],{"class":254},[248,1410,1411],{"class":261}," { keys: [currentAccessKey, previousAccessKey] }; ",[248,1413,1414],{"class":299},"\u002F\u002F JWKSet\n",[248,1416,1417],{"class":250,"line":275},[248,1418,293],{"emptyLinePlaceholder":292},[248,1420,1421,1423,1425,1427],{"class":250,"line":289},[248,1422,306],{"class":254},[248,1424,450],{"class":309},[248,1426,313],{"class":254},[248,1428,359],{"class":261},[248,1430,1431,1434],{"class":250,"line":296},[248,1432,1433],{"class":261},"  key: currentAccessKey, ",[248,1435,1436],{"class":299},"\u002F\u002F always sign with current\n",[248,1438,1439],{"class":250,"line":303},[248,1440,1441],{"class":299},"  \u002F\u002F Ignore the overload: the verify path uses the hook below\n",[248,1443,1444],{"class":250,"line":338},[248,1445,504],{"class":261},[248,1447,1448,1451,1454,1456,1459],{"class":250,"line":343},[248,1449,1450],{"class":319},"    onVerifyKeyLookup",[248,1452,1453],{"class":261},": () ",[248,1455,788],{"class":254},[248,1457,1458],{"class":261}," keys, ",[248,1460,1461],{"class":299},"\u002F\u002F verification tries both keys\n",[248,1463,1464],{"class":250,"line":349},[248,1465,640],{"class":261},[248,1467,1468],{"class":250,"line":362},[248,1469,1470],{"class":299},"  \u002F\u002F ...\n",[248,1472,1473,1475,1477,1479],{"class":250,"line":380},[248,1474,429],{"class":261},[248,1476,432],{"class":254},[248,1478,650],{"class":319},[248,1480,272],{"class":261},[173,1482,1483,1484,1487,1488,1491],{},"Now tokens signed with ",[208,1485,1486],{},"previousAccessKey"," still verify, but new tokens are minted with ",[208,1489,1490],{},"currentAccessKey",". Once the previous key's longest-lived token has expired, drop it from the set.",[173,1493,1494,1495,1498],{},"Refresh tokens (JWE) are trickier because you'd need to try multiple decryption keys — use ",[208,1496,1497],{},"onUnsealKeyLookup"," on the refresh config for the same pattern.",[233,1500,1502],{"id":1501},"revocation","Revocation",[173,1504,1505,1506,211,1508,1511,1512,1515],{},"For stronger logout guarantees (invalidate all sessions from a given user), use ",[208,1507,669],{},[208,1509,1510],{},"onClear"," to track revoked ",[208,1513,1514],{},"jti","s in a store:",[238,1517,1520],{"className":240,"code":1518,"filename":1519,"language":243,"meta":244,"style":244},"const accessConfig = {\n  key: accessKey,\n  maxAge: \"15m\",\n  hooks: {\n    async onExpire({ session }) {\n      if (session.id) await revokedStore.add(session.id); \u002F\u002F track expired jti\n    },\n    async onClear({ oldSession }) {\n      if (oldSession?.id) await revokedStore.add(oldSession.id);\n    },\n    async onRead({ session }) {\n      if (await revokedStore.has(session.id)) {\n        throw new Error(\"Session revoked\");\n      }\n    },\n  },\n  \u002F\u002F ...\n} satisfies SessionConfigJWS;\n","revocation.ts",[208,1521,1522,1532,1536,1544,1548,1561,1582,1586,1600,1616,1620,1633,1649,1666,1671,1675,1679,1683],{"__ignoreMap":244},[248,1523,1524,1526,1528,1530],{"class":250,"line":251},[248,1525,306],{"class":254},[248,1527,450],{"class":309},[248,1529,313],{"class":254},[248,1531,359],{"class":261},[248,1533,1534],{"class":250,"line":275},[248,1535,460],{"class":261},[248,1537,1538,1540,1542],{"class":250,"line":289},[248,1539,395],{"class":261},[248,1541,478],{"class":268},[248,1543,389],{"class":261},[248,1545,1546],{"class":250,"line":296},[248,1547,504],{"class":261},[248,1549,1550,1552,1554,1556,1559],{"class":250,"line":303},[248,1551,510],{"class":254},[248,1553,513],{"class":319},[248,1555,516],{"class":261},[248,1557,1558],{"class":519},"session",[248,1560,528],{"class":261},[248,1562,1563,1565,1568,1570,1573,1576,1579],{"class":250,"line":338},[248,1564,559],{"class":254},[248,1566,1567],{"class":261}," (session.id) ",[248,1569,898],{"class":254},[248,1571,1572],{"class":261}," revokedStore.",[248,1574,1575],{"class":319},"add",[248,1577,1578],{"class":261},"(session.id); ",[248,1580,1581],{"class":299},"\u002F\u002F track expired jti\n",[248,1583,1584],{"class":250,"line":343},[248,1585,634],{"class":261},[248,1587,1588,1590,1593,1595,1598],{"class":250,"line":349},[248,1589,510],{"class":254},[248,1591,1592],{"class":319}," onClear",[248,1594,516],{"class":261},[248,1596,1597],{"class":519},"oldSession",[248,1599,528],{"class":261},[248,1601,1602,1604,1607,1609,1611,1613],{"class":250,"line":362},[248,1603,559],{"class":254},[248,1605,1606],{"class":261}," (oldSession?.id) ",[248,1608,898],{"class":254},[248,1610,1572],{"class":261},[248,1612,1575],{"class":319},[248,1614,1615],{"class":261},"(oldSession.id);\n",[248,1617,1618],{"class":250,"line":380},[248,1619,634],{"class":261},[248,1621,1622,1624,1627,1629,1631],{"class":250,"line":392},[248,1623,510],{"class":254},[248,1625,1626],{"class":319}," onRead",[248,1628,516],{"class":261},[248,1630,1558],{"class":519},[248,1632,528],{"class":261},[248,1634,1635,1637,1639,1641,1643,1646],{"class":250,"line":403},[248,1636,559],{"class":254},[248,1638,562],{"class":261},[248,1640,898],{"class":254},[248,1642,1572],{"class":261},[248,1644,1645],{"class":319},"has",[248,1647,1648],{"class":261},"(session.id)) {\n",[248,1650,1651,1654,1656,1659,1661,1664],{"class":250,"line":426},[248,1652,1653],{"class":254},"        throw",[248,1655,750],{"class":254},[248,1657,1658],{"class":319}," Error",[248,1660,323],{"class":261},[248,1662,1663],{"class":268},"\"Session revoked\"",[248,1665,598],{"class":261},[248,1667,1668],{"class":250,"line":440},[248,1669,1670],{"class":261},"      }\n",[248,1672,1673],{"class":250,"line":445},[248,1674,634],{"class":261},[248,1676,1677],{"class":250,"line":457},[248,1678,640],{"class":261},[248,1680,1681],{"class":250,"line":463},[248,1682,1470],{"class":299},[248,1684,1685,1687,1689,1691],{"class":250,"line":473},[248,1686,429],{"class":261},[248,1688,432],{"class":254},[248,1690,650],{"class":319},[248,1692,272],{"class":261},[233,1694,1696],{"id":1695},"see-also","See also",[189,1698,1699,1704,1709,1714],{},[192,1700,1701],{},[223,1702,1703],{"href":150},"Adapters overview →",[192,1705,1706],{},[223,1707,1708],{"href":157},"H3 sessions →",[192,1710,1711],{},[223,1712,1713],{"href":161},"Adapters hooks →",[192,1715,1716],{},[223,1717,1718],{"href":87},"Authentication basics →",[1720,1721,1722],"style",{},"html pre.shiki code .so5gQ, html code.shiki .so5gQ{--shiki-light:#D73A49;--shiki-default:#F97583;--shiki-dark:#F97583}html pre.shiki code .slsVL, html code.shiki .slsVL{--shiki-light:#24292E;--shiki-default:#E1E4E8;--shiki-dark:#E1E4E8}html pre.shiki code .sfrk1, html code.shiki .sfrk1{--shiki-light:#032F62;--shiki-default:#9ECBFF;--shiki-dark:#9ECBFF}html pre.shiki code .sCsY4, html code.shiki .sCsY4{--shiki-light:#6A737D;--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .suiK_, html code.shiki .suiK_{--shiki-light:#005CC5;--shiki-default:#79B8FF;--shiki-dark:#79B8FF}html pre.shiki code .shcOC, html code.shiki .shcOC{--shiki-light:#6F42C1;--shiki-default:#B392F0;--shiki-dark:#B392F0}html pre.shiki code .sQHwn, html code.shiki .sQHwn{--shiki-light:#E36209;--shiki-default:#FFAB70;--shiki-dark:#FFAB70}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":244,"searchDepth":275,"depth":275,"links":1724},[1725,1726,1727,1728,1729,1730,1731],{"id":235,"depth":275,"text":236},{"id":700,"depth":275,"text":701},{"id":1138,"depth":275,"text":1139},{"id":1278,"depth":275,"text":1279},{"id":1389,"depth":275,"text":1390},{"id":1501,"depth":275,"text":1502},{"id":1695,"depth":275,"text":1696},"md",{"icon":89},{"icon":89},{"title":95,"description":244},"nVFWJBoHcSi4fovqKPstzF7hw-2nuxxPG5Ce7IU7v1Y",[1738,1739],{"title":91,"path":92,"stem":93,"description":244,"icon":89,"children":-1},{"title":99,"path":100,"stem":101,"description":244,"icon":89,"children":-1},1776888559111]