[{"data":1,"prerenderedAt":1584},["ShallowReactive",2],{"navigation":3,"-jwk-wrapping":167,"-jwk-wrapping-surround":1581},[4,22,78,106,141,148],{"title":5,"path":6,"stem":7,"children":8},"Introduction","\u002Fgetting-started","0.Getting-Started\u002F0.index",[9,10,14,18],{"title":5,"path":6,"stem":7},{"title":11,"path":12,"stem":13},"Installation","\u002Fgetting-started\u002Finstallation","0.Getting-Started\u002F1.installation",{"title":15,"path":16,"stem":17},"Quickstart","\u002Fgetting-started\u002Fquickstart","0.Getting-Started\u002F2.quickstart",{"title":19,"path":20,"stem":21},"Core concepts","\u002Fgetting-started\u002Fcore-concepts","0.Getting-Started\u002F3.core-concepts",{"title":23,"path":24,"stem":25,"children":26,"icon":28},"JWT","\u002Fjwt","1.JWT\u002F0.index",[27,29,52],{"title":23,"path":24,"stem":25,"icon":28},"i-carbon-certificate",{"title":30,"path":31,"stem":32,"children":33,"icon":35},"JWS","\u002Fjwt\u002Fjws","1.JWT\u002F1.JWS\u002F0.index",[34,36,40,44,48],{"title":30,"path":31,"stem":32,"icon":35},"i-carbon-document-signed",{"title":37,"path":38,"stem":39},"Signing","\u002Fjwt\u002Fjws\u002Fsigning","1.JWT\u002F1.JWS\u002F1.signing",{"title":41,"path":42,"stem":43},"Verifying","\u002Fjwt\u002Fjws\u002Fverifying","1.JWT\u002F1.JWS\u002F2.verifying",{"title":45,"path":46,"stem":47},"Multi-signature","\u002Fjwt\u002Fjws\u002Fmulti-signature","1.JWT\u002F1.JWS\u002F3.multi-signature",{"title":49,"path":50,"stem":51},"Algorithms","\u002Fjwt\u002Fjws\u002Falgorithms","1.JWT\u002F1.JWS\u002F4.algorithms",{"title":53,"path":54,"stem":55,"children":56,"icon":58},"JWE","\u002Fjwt\u002Fjwe","1.JWT\u002F2.JWE\u002F0.index",[57,59,63,67,71,75],{"title":53,"path":54,"stem":55,"icon":58},"i-carbon-locked",{"title":60,"path":61,"stem":62},"Encrypting","\u002Fjwt\u002Fjwe\u002Fencrypting","1.JWT\u002F2.JWE\u002F1.encrypting",{"title":64,"path":65,"stem":66},"Decrypting","\u002Fjwt\u002Fjwe\u002Fdecrypting","1.JWT\u002F2.JWE\u002F2.decrypting",{"title":68,"path":69,"stem":70},"Multi-recipient","\u002Fjwt\u002Fjwe\u002Fmulti-recipient","1.JWT\u002F2.JWE\u002F3.multi-recipient",{"title":72,"path":73,"stem":74},"ECDH-ES and end-to-end encryption","\u002Fjwt\u002Fjwe\u002Fecdh-es","1.JWT\u002F2.JWE\u002F4.ecdh-es",{"title":49,"path":76,"stem":77},"\u002Fjwt\u002Fjwe\u002Falgorithms","1.JWT\u002F2.JWE\u002F5.algorithms",{"title":79,"path":80,"stem":81,"children":82,"icon":84},"Examples","\u002Fexamples","10.Examples\u002F0.index",[83,85,90,94,98,102],{"title":79,"path":80,"stem":81,"icon":84},"i-carbon-code-reference",{"title":86,"path":87,"stem":88,"icon":89},"Authentication basics","\u002Fexamples\u002Fauthentication-basics","10.Examples\u002F1.authentication-basics","i-lucide-code",{"title":91,"path":92,"stem":93,"icon":89},"Consuming a JWKS endpoint","\u002Fexamples\u002Fjwks-endpoint","10.Examples\u002F2.jwks-endpoint",{"title":95,"path":96,"stem":97,"icon":89},"Refresh token pattern","\u002Fexamples\u002Frefresh-token-pattern","10.Examples\u002F3.refresh-token-pattern",{"title":99,"path":100,"stem":101,"icon":89},"End-to-end encryption","\u002Fexamples\u002Fend-to-end-encryption","10.Examples\u002F4.end-to-end-encryption",{"title":103,"path":104,"stem":105,"icon":89},"Signed receipts","\u002Fexamples\u002Fsigned-receipts","10.Examples\u002F5.signed-receipts",{"title":107,"path":108,"stem":109,"children":110,"icon":112},"JWK","\u002Fjwk","2.JWK\u002F0.index",[111,113,117,121,125,129,133,137],{"title":107,"path":108,"stem":109,"icon":112},"i-carbon-two-factor-authentication",{"title":114,"path":115,"stem":116},"Generating keys","\u002Fjwk\u002Fgenerating","2.JWK\u002F1.generating",{"title":118,"path":119,"stem":120},"Importing and exporting","\u002Fjwk\u002Fimport-export","2.JWK\u002F2.import-export",{"title":122,"path":123,"stem":124},"PEM conversion","\u002Fjwk\u002Fpem","2.JWK\u002F3.pem",{"title":126,"path":127,"stem":128},"Key wrapping","\u002Fjwk\u002Fwrapping","2.JWK\u002F4.wrapping",{"title":130,"path":131,"stem":132},"Password derivation","\u002Fjwk\u002Fpassword-derivation","2.JWK\u002F5.password-derivation",{"title":134,"path":135,"stem":136},"JWK Sets","\u002Fjwk\u002Fjwk-sets","2.JWK\u002F6.jwk-sets",{"title":138,"path":139,"stem":140},"JWK cache","\u002Fjwk\u002Fcache","2.JWK\u002F7.cache",{"title":142,"path":143,"stem":144,"children":145,"icon":147},"Utilities","\u002Futilities","3.Utilities\u002F0.index",[146],{"title":142,"path":143,"stem":144,"icon":147},"i-carbon-tool-box",{"title":149,"path":150,"stem":151,"children":152,"icon":154},"Adapters","\u002Fadapters","99.Adapters\u002F0.index",[153,155,159,163],{"title":149,"path":150,"stem":151,"icon":154},"i-carbon-plug",{"title":156,"path":157,"stem":158},"H3 sessions","\u002Fadapters\u002Fh3-sessions","99.Adapters\u002F1.h3-sessions",{"title":160,"path":161,"stem":162},"Lifecycle hooks","\u002Fadapters\u002Fhooks","99.Adapters\u002F2.hooks",{"title":164,"path":165,"stem":166},"Lower-level functions","\u002Fadapters\u002Flower-level","99.Adapters\u002F3.lower-level",{"id":168,"title":126,"body":169,"description":190,"extension":1576,"meta":1577,"navigation":1578,"path":127,"seo":1579,"stem":128,"__hash__":1580},"content\u002F2.JWK\u002F4.wrapping.md",{"type":170,"value":171,"toc":1564},"minimark",[172,184,216,244,250,269,359,408,414,495,525,719,723,864,869,885,898,965,969,978,1062,1079,1083,1093,1121,1124,1128,1134,1187,1191,1200,1520,1531,1535,1560],[173,174,175,179,180,183],"p",{},[176,177,178],"code",{},"encrypt()","\u002F",[176,181,182],{},"decrypt()"," wrap and unwrap the Content Encryption Key internally. When you need the building blocks — for custom hybrid protocols, custom JWE serializations, or interop with other systems — unjwt exposes them directly:",[185,186,191],"pre",{"className":187,"code":188,"language":189,"meta":190,"style":190},"language-ts shiki shiki-themes github-light github-dark github-dark","import { wrapKey, unwrapKey } from \"unjwt\u002Fjwk\";\n","ts","",[176,192,193],{"__ignoreMap":190},[194,195,198,202,206,209,213],"span",{"class":196,"line":197},"line",1,[194,199,201],{"class":200},"so5gQ","import",[194,203,205],{"class":204},"slsVL"," { wrapKey, unwrapKey } ",[194,207,208],{"class":200},"from",[194,210,212],{"class":211},"sfrk1"," \"unjwt\u002Fjwk\"",[194,214,215],{"class":204},";\n",[217,218,219],"tip",{},[173,220,221,225,226,228,229,231,232,179,235,238,239,243],{},[222,223,224],"strong",{},"You probably don't need these directly."," ",[176,227,178],{}," and ",[176,230,182],{}," handle wrapping for every JWE algorithm. Reach for ",[176,233,234],{},"wrapKey",[176,236,237],{},"unwrapKey"," only when building a ",[240,241,242],"a",{"href":69},"JSON Serialization variant by hand",", implementing a custom cipher protocol, or testing at the primitive level.",[245,246,248],"h2",{"id":247},"wrapkey",[176,249,234],{},[185,251,253],{"className":187,"code":252,"language":189,"meta":190,"style":190},"wrapKey(alg, keyToWrap, wrappingKey, options?)\n",[176,254,255],{"__ignoreMap":190},[194,256,257,260,263,266],{"class":196,"line":197},[194,258,234],{"class":259},"shcOC",[194,261,262],{"class":204},"(alg, keyToWrap, wrappingKey, options",[194,264,265],{"class":200},"?",[194,267,268],{"class":204},")\n",[270,271,272,288],"table",{},[273,274,275],"thead",{},[276,277,278,282,285],"tr",{},[279,280,281],"th",{},"Parameter",[279,283,284],{},"Type",[279,286,287],{},"Role",[289,290,291,312,327,342],"tbody",{},[276,292,293,299,309],{},[294,295,296],"td",{},[176,297,298],{},"alg",[294,300,301,304,305,308],{},[176,302,303],{},"KeyManagementAlgorithm"," (including ",[176,306,307],{},"\"dir\"",")",[294,310,311],{},"How to wrap.",[276,313,314,319,324],{},[294,315,316],{},[176,317,318],{},"keyToWrap",[294,320,321],{},[176,322,323],{},"CryptoKey | Uint8Array",[294,325,326],{},"The CEK to be wrapped.",[276,328,329,334,339],{},[294,330,331],{},[176,332,333],{},"wrappingKey",[294,335,336],{},[176,337,338],{},"WrappingKeyFor\u003Calg>",[294,340,341],{},"The recipient's key (or password for PBES2).",[276,343,344,349,356],{},[294,345,346],{},[176,347,348],{},"options",[294,350,351,352],{},"See ",[240,353,355],{"href":354},"#options","below",[294,357,358],{},"Per-algorithm extras (IV, salt, ephemeral, etc.).",[173,360,361,363,364,366,367,370,371,374,375,370,378,381,382,370,385,388,389,392,393,395,396,399,400,403,404,407],{},[176,362,338],{}," narrows the ",[176,365,333],{}," to the shape legal for the selected algorithm — e.g. ",[176,368,369],{},"WrappingKeyFor\u003C\"A128KW\">"," is ",[176,372,373],{},"CryptoKey | JWK_oct\u003C\"A128KW\">",", ",[176,376,377],{},"WrappingKeyFor\u003C\"RSA-OAEP-256\">",[176,379,380],{},"CryptoKey | JWK_RSA_Public\u003C\"RSA-OAEP-256\">",", and ",[176,383,384],{},"WrappingKeyFor\u003C\"PBES2-HS256+A128KW\">",[176,386,387],{},"string | Uint8Array | JWK_oct\u003C\"PBES2-HS256+A128KW\">",". AES-GCMKW additionally accepts the bare ",[176,390,391],{},"A*GCM"," counterpart to match the runtime aliasing rule. ",[176,394,237],{},"'s ",[176,397,398],{},"unwrappingKey"," parameter uses the symmetric ",[176,401,402],{},"UnwrappingKeyFor\u003Calg>"," with the ",[176,405,406],{},"_Private"," variants on the asymmetric branches.",[173,409,410,411,413],{},"The return shape depends on ",[176,412,298],{},":",[270,415,416,428],{},[273,417,418],{},[276,419,420,425],{},[279,421,422,424],{},[176,423,298],{}," family",[279,426,427],{},"Returns",[289,429,430,447,459,471,483],{},[276,431,432,442],{},[294,433,434,374,436,374,439],{},[176,435,307],{},[176,437,438],{},"\"A*KW\"",[176,440,441],{},"\"RSA-OAEP*\"",[294,443,444],{},[176,445,446],{},"{ encryptedKey: Uint8Array }",[276,448,449,454],{},[294,450,451],{},[176,452,453],{},"\"PBES2-*\"",[294,455,456],{},[176,457,458],{},"{ encryptedKey, p2s, p2c }",[276,460,461,466],{},[294,462,463],{},[176,464,465],{},"\"A*GCMKW\"",[294,467,468],{},[176,469,470],{},"{ encryptedKey, iv, tag }",[276,472,473,478],{},[294,474,475],{},[176,476,477],{},"\"ECDH-ES\"",[294,479,480],{},[176,481,482],{},"{ encryptedKey (empty), epk, apu?, apv? }",[276,484,485,490],{},[294,486,487],{},[176,488,489],{},"\"ECDH-ES+A*KW\"",[294,491,492],{},[176,493,494],{},"{ encryptedKey, epk, apu?, apv? }",[173,496,497,498,501,502,505,506,512,513,517,518,524],{},"For ",[176,499,500],{},"ECDH-ES"," direct (no key wrap), ",[176,503,504],{},"encryptedKey"," is an ",[222,507,508,509],{},"empty ",[176,510,511],{},"Uint8Array"," — the derived secret ",[514,515,516],"em",{},"is"," the CEK, so there's nothing to ship (per ",[240,519,523],{"href":520,"rel":521},"https:\u002F\u002Fwww.rfc-editor.org\u002Frfc\u002Frfc7516#section-4.6",[522],"nofollow","RFC 7516 §4.6",").",[185,526,529],{"className":187,"code":527,"filename":528,"language":189,"meta":190,"style":190},"\u002F\u002F AES Key Wrap\nconst { encryptedKey } = await wrapKey(\"A256KW\", cek, aesKey);\n\n\u002F\u002F RSA-OAEP\nconst { encryptedKey: ek } = await wrapKey(\"RSA-OAEP-256\", cek, rsaPublicJwk);\n\n\u002F\u002F ECDH-ES with key wrap\nconst { encryptedKey, epk } = await wrapKey(\"ECDH-ES+A256KW\", cek, recipientPublicKey);\n\n\u002F\u002F ECDH-ES direct (no wrap — derived secret IS the CEK)\nconst { epk, apu, apv } = await wrapKey(\"ECDH-ES\", rawCek, recipientPublicKey, {\n  ecdh: { enc: \"A256GCM\" },\n});\n","examples.ts",[176,530,531,537,570,577,583,615,620,626,656,661,667,701,713],{"__ignoreMap":190},[194,532,533],{"class":196,"line":197},[194,534,536],{"class":535},"sCsY4","\u002F\u002F AES Key Wrap\n",[194,538,540,543,546,549,552,555,558,561,564,567],{"class":196,"line":539},2,[194,541,542],{"class":200},"const",[194,544,545],{"class":204}," { ",[194,547,504],{"class":548},"suiK_",[194,550,551],{"class":204}," } ",[194,553,554],{"class":200},"=",[194,556,557],{"class":200}," await",[194,559,560],{"class":259}," wrapKey",[194,562,563],{"class":204},"(",[194,565,566],{"class":211},"\"A256KW\"",[194,568,569],{"class":204},", cek, aesKey);\n",[194,571,573],{"class":196,"line":572},3,[194,574,576],{"emptyLinePlaceholder":575},true,"\n",[194,578,580],{"class":196,"line":579},4,[194,581,582],{"class":535},"\u002F\u002F RSA-OAEP\n",[194,584,586,588,590,593,596,599,601,603,605,607,609,612],{"class":196,"line":585},5,[194,587,542],{"class":200},[194,589,545],{"class":204},[194,591,504],{"class":592},"sQHwn",[194,594,595],{"class":204},": ",[194,597,598],{"class":548},"ek",[194,600,551],{"class":204},[194,602,554],{"class":200},[194,604,557],{"class":200},[194,606,560],{"class":259},[194,608,563],{"class":204},[194,610,611],{"class":211},"\"RSA-OAEP-256\"",[194,613,614],{"class":204},", cek, rsaPublicJwk);\n",[194,616,618],{"class":196,"line":617},6,[194,619,576],{"emptyLinePlaceholder":575},[194,621,623],{"class":196,"line":622},7,[194,624,625],{"class":535},"\u002F\u002F ECDH-ES with key wrap\n",[194,627,629,631,633,635,637,640,642,644,646,648,650,653],{"class":196,"line":628},8,[194,630,542],{"class":200},[194,632,545],{"class":204},[194,634,504],{"class":548},[194,636,374],{"class":204},[194,638,639],{"class":548},"epk",[194,641,551],{"class":204},[194,643,554],{"class":200},[194,645,557],{"class":200},[194,647,560],{"class":259},[194,649,563],{"class":204},[194,651,652],{"class":211},"\"ECDH-ES+A256KW\"",[194,654,655],{"class":204},", cek, recipientPublicKey);\n",[194,657,659],{"class":196,"line":658},9,[194,660,576],{"emptyLinePlaceholder":575},[194,662,664],{"class":196,"line":663},10,[194,665,666],{"class":535},"\u002F\u002F ECDH-ES direct (no wrap — derived secret IS the CEK)\n",[194,668,670,672,674,676,678,681,683,686,688,690,692,694,696,698],{"class":196,"line":669},11,[194,671,542],{"class":200},[194,673,545],{"class":204},[194,675,639],{"class":548},[194,677,374],{"class":204},[194,679,680],{"class":548},"apu",[194,682,374],{"class":204},[194,684,685],{"class":548},"apv",[194,687,551],{"class":204},[194,689,554],{"class":200},[194,691,557],{"class":200},[194,693,560],{"class":259},[194,695,563],{"class":204},[194,697,477],{"class":211},[194,699,700],{"class":204},", rawCek, recipientPublicKey, {\n",[194,702,704,707,710],{"class":196,"line":703},12,[194,705,706],{"class":204},"  ecdh: { enc: ",[194,708,709],{"class":211},"\"A256GCM\"",[194,711,712],{"class":204}," },\n",[194,714,716],{"class":196,"line":715},13,[194,717,718],{"class":204},"});\n",[720,721,722],"h3",{"id":348},"Options",[185,724,726],{"className":187,"code":725,"language":189,"meta":190,"style":190},"interface WrapKeyOptions {\n  iv?: Uint8Array; \u002F\u002F AES-GCMKW\n  p2s?: Uint8Array; \u002F\u002F PBES2 salt (defaults: 16 random bytes)\n  p2c?: number; \u002F\u002F PBES2 iterations (default: 600_000)\n  ecdh?: {\n    ephemeralKey?: CryptoKey | JWK_EC_Private | CryptoKeyPair;\n    partyUInfo?: Uint8Array;\n    partyVInfo?: Uint8Array;\n    enc?: ContentEncryptionAlgorithm; \u002F\u002F required for bare \"ECDH-ES\"\n  };\n}\n",[176,727,728,739,756,770,785,794,817,828,839,854,859],{"__ignoreMap":190},[194,729,730,733,736],{"class":196,"line":197},[194,731,732],{"class":200},"interface",[194,734,735],{"class":259}," WrapKeyOptions",[194,737,738],{"class":204}," {\n",[194,740,741,744,747,750,753],{"class":196,"line":539},[194,742,743],{"class":592},"  iv",[194,745,746],{"class":200},"?:",[194,748,749],{"class":259}," Uint8Array",[194,751,752],{"class":204},"; ",[194,754,755],{"class":535},"\u002F\u002F AES-GCMKW\n",[194,757,758,761,763,765,767],{"class":196,"line":572},[194,759,760],{"class":592},"  p2s",[194,762,746],{"class":200},[194,764,749],{"class":259},[194,766,752],{"class":204},[194,768,769],{"class":535},"\u002F\u002F PBES2 salt (defaults: 16 random bytes)\n",[194,771,772,775,777,780,782],{"class":196,"line":579},[194,773,774],{"class":592},"  p2c",[194,776,746],{"class":200},[194,778,779],{"class":548}," number",[194,781,752],{"class":204},[194,783,784],{"class":535},"\u002F\u002F PBES2 iterations (default: 600_000)\n",[194,786,787,790,792],{"class":196,"line":585},[194,788,789],{"class":592},"  ecdh",[194,791,746],{"class":200},[194,793,738],{"class":204},[194,795,796,799,801,804,807,810,812,815],{"class":196,"line":617},[194,797,798],{"class":592},"    ephemeralKey",[194,800,746],{"class":200},[194,802,803],{"class":259}," CryptoKey",[194,805,806],{"class":200}," |",[194,808,809],{"class":259}," JWK_EC_Private",[194,811,806],{"class":200},[194,813,814],{"class":259}," CryptoKeyPair",[194,816,215],{"class":204},[194,818,819,822,824,826],{"class":196,"line":622},[194,820,821],{"class":592},"    partyUInfo",[194,823,746],{"class":200},[194,825,749],{"class":259},[194,827,215],{"class":204},[194,829,830,833,835,837],{"class":196,"line":628},[194,831,832],{"class":592},"    partyVInfo",[194,834,746],{"class":200},[194,836,749],{"class":259},[194,838,215],{"class":204},[194,840,841,844,846,849,851],{"class":196,"line":658},[194,842,843],{"class":592},"    enc",[194,845,746],{"class":200},[194,847,848],{"class":259}," ContentEncryptionAlgorithm",[194,850,752],{"class":204},[194,852,853],{"class":535},"\u002F\u002F required for bare \"ECDH-ES\"\n",[194,855,856],{"class":196,"line":663},[194,857,858],{"class":204},"  };\n",[194,860,861],{"class":196,"line":669},[194,862,863],{"class":204},"}\n",[245,865,867],{"id":866},"unwrapkey",[176,868,237],{},[185,870,872],{"className":187,"code":871,"language":189,"meta":190,"style":190},"unwrapKey(alg, wrappedKey, unwrappingKey, options?)\n",[176,873,874],{"__ignoreMap":190},[194,875,876,878,881,883],{"class":196,"line":197},[194,877,237],{"class":259},[194,879,880],{"class":204},"(alg, wrappedKey, unwrappingKey, options",[194,882,265],{"class":200},[194,884,268],{"class":204},[173,886,887,888,890,891,894,895,413],{},"Reverses ",[176,889,234],{},". Returns a ",[176,892,893],{},"CryptoKey"," by default, or raw bytes with ",[176,896,897],{},"format: \"raw\"",[185,899,901],{"className":187,"code":900,"language":189,"meta":190,"style":190},"\u002F\u002F Returns CryptoKey (default)\nconst cek = await unwrapKey(\"A256KW\", encryptedKey, aesKey);\n\n\u002F\u002F Returns Uint8Array\nconst raw = await unwrapKey(\"A256KW\", encryptedKey, aesKey, { format: \"raw\" });\n",[176,902,903,908,930,934,939],{"__ignoreMap":190},[194,904,905],{"class":196,"line":197},[194,906,907],{"class":535},"\u002F\u002F Returns CryptoKey (default)\n",[194,909,910,912,915,918,920,923,925,927],{"class":196,"line":539},[194,911,542],{"class":200},[194,913,914],{"class":548}," cek",[194,916,917],{"class":200}," =",[194,919,557],{"class":200},[194,921,922],{"class":259}," unwrapKey",[194,924,563],{"class":204},[194,926,566],{"class":211},[194,928,929],{"class":204},", encryptedKey, aesKey);\n",[194,931,932],{"class":196,"line":572},[194,933,576],{"emptyLinePlaceholder":575},[194,935,936],{"class":196,"line":579},[194,937,938],{"class":535},"\u002F\u002F Returns Uint8Array\n",[194,940,941,943,946,948,950,952,954,956,959,962],{"class":196,"line":585},[194,942,542],{"class":200},[194,944,945],{"class":548}," raw",[194,947,917],{"class":200},[194,949,557],{"class":200},[194,951,922],{"class":259},[194,953,563],{"class":204},[194,955,566],{"class":211},[194,957,958],{"class":204},", encryptedKey, aesKey, { format: ",[194,960,961],{"class":211},"\"raw\"",[194,963,964],{"class":204}," });\n",[720,966,968],{"id":967},"format-cryptokey-import","Format & CryptoKey import",[173,970,971,972,975,976,413],{},"When ",[176,973,974],{},"format: \"cryptokey\""," (default), unjwt imports the unwrapped bytes as a Web Crypto ",[176,977,893],{},[185,979,981],{"className":187,"code":980,"language":189,"meta":190,"style":190},"const cek = await unwrapKey(\"A256KW\", encryptedKey, aesKey, {\n  format: \"cryptokey\", \u002F\u002F default\n  unwrappedKeyAlgorithm: { name: \"AES-GCM\", length: 256 },\n  keyUsage: [\"encrypt\", \"decrypt\"],\n  extractable: false,\n});\n",[176,982,983,1002,1015,1031,1047,1058],{"__ignoreMap":190},[194,984,985,987,989,991,993,995,997,999],{"class":196,"line":197},[194,986,542],{"class":200},[194,988,914],{"class":548},[194,990,917],{"class":200},[194,992,557],{"class":200},[194,994,922],{"class":259},[194,996,563],{"class":204},[194,998,566],{"class":211},[194,1000,1001],{"class":204},", encryptedKey, aesKey, {\n",[194,1003,1004,1007,1010,1012],{"class":196,"line":539},[194,1005,1006],{"class":204},"  format: ",[194,1008,1009],{"class":211},"\"cryptokey\"",[194,1011,374],{"class":204},[194,1013,1014],{"class":535},"\u002F\u002F default\n",[194,1016,1017,1020,1023,1026,1029],{"class":196,"line":572},[194,1018,1019],{"class":204},"  unwrappedKeyAlgorithm: { name: ",[194,1021,1022],{"class":211},"\"AES-GCM\"",[194,1024,1025],{"class":204},", length: ",[194,1027,1028],{"class":548},"256",[194,1030,712],{"class":204},[194,1032,1033,1036,1039,1041,1044],{"class":196,"line":579},[194,1034,1035],{"class":204},"  keyUsage: [",[194,1037,1038],{"class":211},"\"encrypt\"",[194,1040,374],{"class":204},[194,1042,1043],{"class":211},"\"decrypt\"",[194,1045,1046],{"class":204},"],\n",[194,1048,1049,1052,1055],{"class":196,"line":585},[194,1050,1051],{"class":204},"  extractable: ",[194,1053,1054],{"class":548},"false",[194,1056,1057],{"class":204},",\n",[194,1059,1060],{"class":196,"line":617},[194,1061,718],{"class":204},[173,1063,971,1064,1066,1067,1069,1070,1074,1075,1078],{},[176,1065,897],{},", you get the ",[176,1068,511],{}," and decide how to use it (pass to ",[240,1071,1072],{"href":61},[176,1073,178],{}," as a ",[176,1076,1077],{},"dir"," key, pipe into another cipher, etc.).",[720,1080,1082],{"id":1081},"pbes2-iteration-bounds","PBES2 iteration bounds",[173,1084,1085,1087,1088,413],{},[176,1086,237],{}," enforces the same DoS-protection bounds as ",[240,1089,1091],{"href":1090},"\u002Fjwt\u002Fjwe\u002Fdecrypting#pbes2-dos-protection",[176,1092,182],{},[1094,1095,1096,1112],"ul",{},[1097,1098,1099,1102,1103,1106,1107,524],"li",{},[176,1100,1101],{},"minIterations"," — default ",[176,1104,1105],{},"1000"," (",[240,1108,1111],{"href":1109,"rel":1110},"https:\u002F\u002Fwww.rfc-editor.org\u002Frfc\u002Frfc7518#section-4.8.1.2",[522],"RFC 7518 §4.8.1.2",[1097,1113,1114,1102,1117,1120],{},[176,1115,1116],{},"maxIterations",[176,1118,1119],{},"1_000_000",".",[173,1122,1123],{},"Set explicitly if your deployment uses unusual values.",[720,1125,1127],{"id":1126},"ecdh-es-inputs","ECDH-ES inputs",[173,1129,497,1130,1133],{},[176,1131,1132],{},"ECDH-ES*"," unwrap, pass the header fields that were in the original token:",[185,1135,1137],{"className":187,"code":1136,"language":189,"meta":190,"style":190},"const cek = await unwrapKey(\"ECDH-ES+A256KW\", encryptedKey, myPrivateKey, {\n  epk: tokenHeader.epk,\n  apu: tokenHeader.apu, \u002F\u002F base64url string or Uint8Array\n  apv: tokenHeader.apv,\n  enc: tokenHeader.enc, \u002F\u002F required for bare \"ECDH-ES\"\n});\n",[176,1138,1139,1158,1163,1171,1176,1183],{"__ignoreMap":190},[194,1140,1141,1143,1145,1147,1149,1151,1153,1155],{"class":196,"line":197},[194,1142,542],{"class":200},[194,1144,914],{"class":548},[194,1146,917],{"class":200},[194,1148,557],{"class":200},[194,1150,922],{"class":259},[194,1152,563],{"class":204},[194,1154,652],{"class":211},[194,1156,1157],{"class":204},", encryptedKey, myPrivateKey, {\n",[194,1159,1160],{"class":196,"line":539},[194,1161,1162],{"class":204},"  epk: tokenHeader.epk,\n",[194,1164,1165,1168],{"class":196,"line":572},[194,1166,1167],{"class":204},"  apu: tokenHeader.apu, ",[194,1169,1170],{"class":535},"\u002F\u002F base64url string or Uint8Array\n",[194,1172,1173],{"class":196,"line":579},[194,1174,1175],{"class":204},"  apv: tokenHeader.apv,\n",[194,1177,1178,1181],{"class":196,"line":585},[194,1179,1180],{"class":204},"  enc: tokenHeader.enc, ",[194,1182,853],{"class":535},[194,1184,1185],{"class":196,"line":617},[194,1186,718],{"class":204},[245,1188,1190],{"id":1189},"typical-use-building-a-manual-multi-recipient-envelope","Typical use — building a manual multi-recipient envelope",[173,1192,1193,1194,1199],{},"Before ",[240,1195,1196],{"href":69},[176,1197,1198],{},"encryptMulti"," existed, this was the manual pattern for \"one ciphertext, many recipients\" — and it's still useful as a teaching example of how the spec composes:",[185,1201,1204],{"className":187,"code":1202,"filename":1203,"language":189,"meta":190,"style":190},"import { wrapKey, unwrapKey } from \"unjwt\u002Fjwk\";\nimport { secureRandomBytes } from \"unjwt\u002Futils\";\nimport { encrypt, decrypt } from \"unjwt\u002Fjwe\";\n\nconst enc = \"A256GCM\";\nconst cek = secureRandomBytes(32);\n\n\u002F\u002F 1. Encrypt payload once with the CEK\nconst ciphertext = await encrypt({ msg: \"x\" }, cek, { alg: \"dir\", enc });\n\n\u002F\u002F 2. Wrap the CEK per recipient\nconst wrapped = await Promise.all(\n  recipients.map(async ({ publicKey }) => {\n    const { encryptedKey, epk } = await wrapKey(\"ECDH-ES+A256KW\", cek, publicKey);\n    return { encryptedKey, epk };\n  }),\n);\n\n\u002F\u002F 3. Recipient unwraps their own entry, then decrypts\nconst mine = wrapped[myIndex];\nconst myCek = await unwrapKey(\"ECDH-ES+A256KW\", mine.encryptedKey, myPrivateKey, {\n  format: \"raw\",\n  epk: mine.epk,\n  enc,\n});\nconst { payload } = await decrypt(ciphertext, myCek);\n","manual-multi.ts",[176,1205,1206,1218,1232,1246,1250,1264,1283,1287,1292,1320,1324,1329,1351,1378,1407,1416,1422,1427,1432,1438,1451,1472,1481,1487,1493,1498],{"__ignoreMap":190},[194,1207,1208,1210,1212,1214,1216],{"class":196,"line":197},[194,1209,201],{"class":200},[194,1211,205],{"class":204},[194,1213,208],{"class":200},[194,1215,212],{"class":211},[194,1217,215],{"class":204},[194,1219,1220,1222,1225,1227,1230],{"class":196,"line":539},[194,1221,201],{"class":200},[194,1223,1224],{"class":204}," { secureRandomBytes } ",[194,1226,208],{"class":200},[194,1228,1229],{"class":211}," \"unjwt\u002Futils\"",[194,1231,215],{"class":204},[194,1233,1234,1236,1239,1241,1244],{"class":196,"line":572},[194,1235,201],{"class":200},[194,1237,1238],{"class":204}," { encrypt, decrypt } ",[194,1240,208],{"class":200},[194,1242,1243],{"class":211}," \"unjwt\u002Fjwe\"",[194,1245,215],{"class":204},[194,1247,1248],{"class":196,"line":579},[194,1249,576],{"emptyLinePlaceholder":575},[194,1251,1252,1254,1257,1259,1262],{"class":196,"line":585},[194,1253,542],{"class":200},[194,1255,1256],{"class":548}," enc",[194,1258,917],{"class":200},[194,1260,1261],{"class":211}," \"A256GCM\"",[194,1263,215],{"class":204},[194,1265,1266,1268,1270,1272,1275,1277,1280],{"class":196,"line":617},[194,1267,542],{"class":200},[194,1269,914],{"class":548},[194,1271,917],{"class":200},[194,1273,1274],{"class":259}," secureRandomBytes",[194,1276,563],{"class":204},[194,1278,1279],{"class":548},"32",[194,1281,1282],{"class":204},");\n",[194,1284,1285],{"class":196,"line":622},[194,1286,576],{"emptyLinePlaceholder":575},[194,1288,1289],{"class":196,"line":628},[194,1290,1291],{"class":535},"\u002F\u002F 1. Encrypt payload once with the CEK\n",[194,1293,1294,1296,1299,1301,1303,1306,1309,1312,1315,1317],{"class":196,"line":658},[194,1295,542],{"class":200},[194,1297,1298],{"class":548}," ciphertext",[194,1300,917],{"class":200},[194,1302,557],{"class":200},[194,1304,1305],{"class":259}," encrypt",[194,1307,1308],{"class":204},"({ msg: ",[194,1310,1311],{"class":211},"\"x\"",[194,1313,1314],{"class":204}," }, cek, { alg: ",[194,1316,307],{"class":211},[194,1318,1319],{"class":204},", enc });\n",[194,1321,1322],{"class":196,"line":663},[194,1323,576],{"emptyLinePlaceholder":575},[194,1325,1326],{"class":196,"line":669},[194,1327,1328],{"class":535},"\u002F\u002F 2. Wrap the CEK per recipient\n",[194,1330,1331,1333,1336,1338,1340,1343,1345,1348],{"class":196,"line":703},[194,1332,542],{"class":200},[194,1334,1335],{"class":548}," wrapped",[194,1337,917],{"class":200},[194,1339,557],{"class":200},[194,1341,1342],{"class":548}," Promise",[194,1344,1120],{"class":204},[194,1346,1347],{"class":259},"all",[194,1349,1350],{"class":204},"(\n",[194,1352,1353,1356,1359,1361,1364,1367,1370,1373,1376],{"class":196,"line":715},[194,1354,1355],{"class":204},"  recipients.",[194,1357,1358],{"class":259},"map",[194,1360,563],{"class":204},[194,1362,1363],{"class":200},"async",[194,1365,1366],{"class":204}," ({ ",[194,1368,1369],{"class":592},"publicKey",[194,1371,1372],{"class":204}," }) ",[194,1374,1375],{"class":200},"=>",[194,1377,738],{"class":204},[194,1379,1381,1384,1386,1388,1390,1392,1394,1396,1398,1400,1402,1404],{"class":196,"line":1380},14,[194,1382,1383],{"class":200},"    const",[194,1385,545],{"class":204},[194,1387,504],{"class":548},[194,1389,374],{"class":204},[194,1391,639],{"class":548},[194,1393,551],{"class":204},[194,1395,554],{"class":200},[194,1397,557],{"class":200},[194,1399,560],{"class":259},[194,1401,563],{"class":204},[194,1403,652],{"class":211},[194,1405,1406],{"class":204},", cek, publicKey);\n",[194,1408,1410,1413],{"class":196,"line":1409},15,[194,1411,1412],{"class":200},"    return",[194,1414,1415],{"class":204}," { encryptedKey, epk };\n",[194,1417,1419],{"class":196,"line":1418},16,[194,1420,1421],{"class":204},"  }),\n",[194,1423,1425],{"class":196,"line":1424},17,[194,1426,1282],{"class":204},[194,1428,1430],{"class":196,"line":1429},18,[194,1431,576],{"emptyLinePlaceholder":575},[194,1433,1435],{"class":196,"line":1434},19,[194,1436,1437],{"class":535},"\u002F\u002F 3. Recipient unwraps their own entry, then decrypts\n",[194,1439,1441,1443,1446,1448],{"class":196,"line":1440},20,[194,1442,542],{"class":200},[194,1444,1445],{"class":548}," mine",[194,1447,917],{"class":200},[194,1449,1450],{"class":204}," wrapped[myIndex];\n",[194,1452,1454,1456,1459,1461,1463,1465,1467,1469],{"class":196,"line":1453},21,[194,1455,542],{"class":200},[194,1457,1458],{"class":548}," myCek",[194,1460,917],{"class":200},[194,1462,557],{"class":200},[194,1464,922],{"class":259},[194,1466,563],{"class":204},[194,1468,652],{"class":211},[194,1470,1471],{"class":204},", mine.encryptedKey, myPrivateKey, {\n",[194,1473,1475,1477,1479],{"class":196,"line":1474},22,[194,1476,1006],{"class":204},[194,1478,961],{"class":211},[194,1480,1057],{"class":204},[194,1482,1484],{"class":196,"line":1483},23,[194,1485,1486],{"class":204},"  epk: mine.epk,\n",[194,1488,1490],{"class":196,"line":1489},24,[194,1491,1492],{"class":204},"  enc,\n",[194,1494,1496],{"class":196,"line":1495},25,[194,1497,718],{"class":204},[194,1499,1501,1503,1505,1508,1510,1512,1514,1517],{"class":196,"line":1500},26,[194,1502,542],{"class":200},[194,1504,545],{"class":204},[194,1506,1507],{"class":548},"payload",[194,1509,551],{"class":204},[194,1511,554],{"class":200},[194,1513,557],{"class":200},[194,1515,1516],{"class":259}," decrypt",[194,1518,1519],{"class":204},"(ciphertext, myCek);\n",[173,1521,1522,1523,1530],{},"In practice, use ",[240,1524,1525,179,1527],{"href":69},[176,1526,1198],{},[176,1528,1529],{},"decryptMulti"," instead — they produce a proper RFC 7516 §7.2 General JSON Serialization with all the envelope fields in the right places.",[245,1532,1534],{"id":1533},"see-also","See also",[1094,1536,1537,1543,1555],{},[1097,1538,1539,1542],{},[240,1540,1541],{"href":69},"Multi-recipient →"," — the high-level API.",[1097,1544,1545,1548,1549,1120],{},[240,1546,1547],{"href":73},"ECDH-ES →"," — including ",[240,1550,1552],{"href":1551},"\u002Fjwt\u002Fjwe\u002Fecdh-es#derivesharedsecret-the-raw-kdf-step",[176,1553,1554],{},"deriveSharedSecret",[1097,1556,1557,1120],{},[240,1558,1559],{"href":76},"JWE algorithms →",[1561,1562,1563],"style",{},"html pre.shiki code .so5gQ, html code.shiki .so5gQ{--shiki-light:#D73A49;--shiki-default:#F97583;--shiki-dark:#F97583}html pre.shiki code .slsVL, html code.shiki .slsVL{--shiki-light:#24292E;--shiki-default:#E1E4E8;--shiki-dark:#E1E4E8}html pre.shiki code .sfrk1, html code.shiki .sfrk1{--shiki-light:#032F62;--shiki-default:#9ECBFF;--shiki-dark:#9ECBFF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .shcOC, html code.shiki .shcOC{--shiki-light:#6F42C1;--shiki-default:#B392F0;--shiki-dark:#B392F0}html pre.shiki code .sCsY4, html code.shiki .sCsY4{--shiki-light:#6A737D;--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .suiK_, html code.shiki .suiK_{--shiki-light:#005CC5;--shiki-default:#79B8FF;--shiki-dark:#79B8FF}html pre.shiki code .sQHwn, html code.shiki .sQHwn{--shiki-light:#E36209;--shiki-default:#FFAB70;--shiki-dark:#FFAB70}",{"title":190,"searchDepth":539,"depth":539,"links":1565},[1566,1569,1574,1575],{"id":247,"depth":539,"text":234,"children":1567},[1568],{"id":348,"depth":572,"text":722},{"id":866,"depth":539,"text":237,"children":1570},[1571,1572,1573],{"id":967,"depth":572,"text":968},{"id":1081,"depth":572,"text":1082},{"id":1126,"depth":572,"text":1127},{"id":1189,"depth":539,"text":1190},{"id":1533,"depth":539,"text":1534},"md",{},{},{"title":126,"description":190},"oUzAYAwZJqSEC-yqhXXOpraz7LppVesq9mdmI36JFsA",[1582,1583],{"title":122,"path":123,"stem":124,"description":190,"children":-1},{"title":130,"path":131,"stem":132,"description":190,"children":-1},1776888559437]