[{"data":1,"prerenderedAt":640},["ShallowReactive",2],{"navigation":3,"-jwt":167,"-jwt-surround":637},[4,22,78,106,141,148],{"title":5,"path":6,"stem":7,"children":8},"Introduction","\u002Fgetting-started","0.Getting-Started\u002F0.index",[9,10,14,18],{"title":5,"path":6,"stem":7},{"title":11,"path":12,"stem":13},"Installation","\u002Fgetting-started\u002Finstallation","0.Getting-Started\u002F1.installation",{"title":15,"path":16,"stem":17},"Quickstart","\u002Fgetting-started\u002Fquickstart","0.Getting-Started\u002F2.quickstart",{"title":19,"path":20,"stem":21},"Core concepts","\u002Fgetting-started\u002Fcore-concepts","0.Getting-Started\u002F3.core-concepts",{"title":23,"path":24,"stem":25,"children":26,"icon":28},"JWT","\u002Fjwt","1.JWT\u002F0.index",[27,29,52],{"title":23,"path":24,"stem":25,"icon":28},"i-carbon-certificate",{"title":30,"path":31,"stem":32,"children":33,"icon":35},"JWS","\u002Fjwt\u002Fjws","1.JWT\u002F1.JWS\u002F0.index",[34,36,40,44,48],{"title":30,"path":31,"stem":32,"icon":35},"i-carbon-document-signed",{"title":37,"path":38,"stem":39},"Signing","\u002Fjwt\u002Fjws\u002Fsigning","1.JWT\u002F1.JWS\u002F1.signing",{"title":41,"path":42,"stem":43},"Verifying","\u002Fjwt\u002Fjws\u002Fverifying","1.JWT\u002F1.JWS\u002F2.verifying",{"title":45,"path":46,"stem":47},"Multi-signature","\u002Fjwt\u002Fjws\u002Fmulti-signature","1.JWT\u002F1.JWS\u002F3.multi-signature",{"title":49,"path":50,"stem":51},"Algorithms","\u002Fjwt\u002Fjws\u002Falgorithms","1.JWT\u002F1.JWS\u002F4.algorithms",{"title":53,"path":54,"stem":55,"children":56,"icon":58},"JWE","\u002Fjwt\u002Fjwe","1.JWT\u002F2.JWE\u002F0.index",[57,59,63,67,71,75],{"title":53,"path":54,"stem":55,"icon":58},"i-carbon-locked",{"title":60,"path":61,"stem":62},"Encrypting","\u002Fjwt\u002Fjwe\u002Fencrypting","1.JWT\u002F2.JWE\u002F1.encrypting",{"title":64,"path":65,"stem":66},"Decrypting","\u002Fjwt\u002Fjwe\u002Fdecrypting","1.JWT\u002F2.JWE\u002F2.decrypting",{"title":68,"path":69,"stem":70},"Multi-recipient","\u002Fjwt\u002Fjwe\u002Fmulti-recipient","1.JWT\u002F2.JWE\u002F3.multi-recipient",{"title":72,"path":73,"stem":74},"ECDH-ES and end-to-end encryption","\u002Fjwt\u002Fjwe\u002Fecdh-es","1.JWT\u002F2.JWE\u002F4.ecdh-es",{"title":49,"path":76,"stem":77},"\u002Fjwt\u002Fjwe\u002Falgorithms","1.JWT\u002F2.JWE\u002F5.algorithms",{"title":79,"path":80,"stem":81,"children":82,"icon":84},"Examples","\u002Fexamples","10.Examples\u002F0.index",[83,85,90,94,98,102],{"title":79,"path":80,"stem":81,"icon":84},"i-carbon-code-reference",{"title":86,"path":87,"stem":88,"icon":89},"Authentication basics","\u002Fexamples\u002Fauthentication-basics","10.Examples\u002F1.authentication-basics","i-lucide-code",{"title":91,"path":92,"stem":93,"icon":89},"Consuming a JWKS endpoint","\u002Fexamples\u002Fjwks-endpoint","10.Examples\u002F2.jwks-endpoint",{"title":95,"path":96,"stem":97,"icon":89},"Refresh token pattern","\u002Fexamples\u002Frefresh-token-pattern","10.Examples\u002F3.refresh-token-pattern",{"title":99,"path":100,"stem":101,"icon":89},"End-to-end encryption","\u002Fexamples\u002Fend-to-end-encryption","10.Examples\u002F4.end-to-end-encryption",{"title":103,"path":104,"stem":105,"icon":89},"Signed receipts","\u002Fexamples\u002Fsigned-receipts","10.Examples\u002F5.signed-receipts",{"title":107,"path":108,"stem":109,"children":110,"icon":112},"JWK","\u002Fjwk","2.JWK\u002F0.index",[111,113,117,121,125,129,133,137],{"title":107,"path":108,"stem":109,"icon":112},"i-carbon-two-factor-authentication",{"title":114,"path":115,"stem":116},"Generating keys","\u002Fjwk\u002Fgenerating","2.JWK\u002F1.generating",{"title":118,"path":119,"stem":120},"Importing and exporting","\u002Fjwk\u002Fimport-export","2.JWK\u002F2.import-export",{"title":122,"path":123,"stem":124},"PEM conversion","\u002Fjwk\u002Fpem","2.JWK\u002F3.pem",{"title":126,"path":127,"stem":128},"Key wrapping","\u002Fjwk\u002Fwrapping","2.JWK\u002F4.wrapping",{"title":130,"path":131,"stem":132},"Password derivation","\u002Fjwk\u002Fpassword-derivation","2.JWK\u002F5.password-derivation",{"title":134,"path":135,"stem":136},"JWK Sets","\u002Fjwk\u002Fjwk-sets","2.JWK\u002F6.jwk-sets",{"title":138,"path":139,"stem":140},"JWK cache","\u002Fjwk\u002Fcache","2.JWK\u002F7.cache",{"title":142,"path":143,"stem":144,"children":145,"icon":147},"Utilities","\u002Futilities","3.Utilities\u002F0.index",[146],{"title":142,"path":143,"stem":144,"icon":147},"i-carbon-tool-box",{"title":149,"path":150,"stem":151,"children":152,"icon":154},"Adapters","\u002Fadapters","99.Adapters\u002F0.index",[153,155,159,163],{"title":149,"path":150,"stem":151,"icon":154},"i-carbon-plug",{"title":156,"path":157,"stem":158},"H3 sessions","\u002Fadapters\u002Fh3-sessions","99.Adapters\u002F1.h3-sessions",{"title":160,"path":161,"stem":162},"Lifecycle hooks","\u002Fadapters\u002Fhooks","99.Adapters\u002F2.hooks",{"title":164,"path":165,"stem":166},"Lower-level functions","\u002Fadapters\u002Flower-level","99.Adapters\u002F3.lower-level",{"id":168,"title":23,"body":169,"description":242,"extension":632,"meta":633,"navigation":634,"path":24,"seo":635,"stem":25,"__hash__":636},"content\u002F1.JWT\u002F0.index.md",{"type":170,"value":171,"toc":624,"icon":28},"minimark",[172,184,202,221,226,233,243,279,286,292,299,327,331,399,402,421,425,428,459,462,498,501,505,508,597,606,610],[173,174,175,176,183],"p",{},"A JSON Web Token (",[177,178,182],"a",{"href":179,"rel":180},"https:\u002F\u002Fwww.rfc-editor.org\u002Frfc\u002Frfc7519",[181],"nofollow","RFC 7519",") is a short string that carries a JSON payload across systems — typically for authentication, authorization, or short-lived messages. Every JWT is either:",[185,186,187,196],"ul",{},[188,189,190,191,195],"li",{},"a ",[192,193,194],"strong",{},"JSON Web Signature"," (JWS) — the payload is readable, but tampering is detectable, or",[188,197,190,198,201],{},[192,199,200],{},"JSON Web Encryption"," (JWE) — the payload is unreadable without the right key.",[173,203,204,205,209,210,213,214,209,217,220],{},"Both share the same outer shape: three to five base64url-encoded segments joined by dots. What differs is what happens between ",[206,207,208],"code",{},"sign()"," \u002F ",[206,211,212],{},"verify()"," (JWS) and ",[206,215,216],{},"encrypt()",[206,218,219],{},"decrypt()"," (JWE).",[222,223,225],"h2",{"id":224},"anatomy","Anatomy",[173,227,228,229,232],{},"A typical ",[192,230,231],{},"compact JWS"," has three parts:",[234,235,240],"pre",{"className":236,"code":238,"language":239},[237],"language-text","eyJhbGci...   .eyJzdWIi...   .MEUCIQDwW0...\n\u003Cheader>      .\u003Cpayload>      .\u003Csignature>\n","text",[206,241,238],{"__ignoreMap":242},"",[185,244,245,263,269],{},[188,246,247,250,251,254,255,258,259,262],{},[192,248,249],{},"Header"," — algorithm (",[206,252,253],{},"alg","), type (",[206,256,257],{},"typ","), key id (",[206,260,261],{},"kid","), etc.",[188,264,265,268],{},[192,266,267],{},"Payload"," — the JSON claims, base64url-encoded.",[188,270,271,274,275,278],{},[192,272,273],{},"Signature"," — a MAC or digital signature over ",[206,276,277],{},"header.payload",".",[173,280,281,282,285],{},"A ",[192,283,284],{},"compact JWE"," has five parts:",[234,287,290],{"className":288,"code":289,"language":239},[237],"eyJhbGci... .e1h3WklRxw...  .48V1_ALb6... .5eym8TW_c... .XFBoMYUZo...\n\u003Cheader>    .\u003CencryptedKey> .\u003Civ>         .\u003Cciphertext> .\u003Ctag>\n",[206,291,289],{"__ignoreMap":242},[173,293,294,295,298],{},"The payload is gone — replaced by ciphertext that only the recipient's key can unlock, plus an IV and an authentication tag. The ",[206,296,297],{},"encryptedKey"," segment is the Content Encryption Key, itself wrapped by the recipient's key.",[300,301,302],"note",{},[173,303,304,305,308,309,318,319,278],{},"The compact form is the most common, but both specs define richer ",[192,306,307],{},"JSON Serializations"," too — General (multi-signer \u002F multi-recipient) and Flattened (single-signer \u002F single-recipient, but in JSON shape). unjwt supports these through ",[177,310,311,314,315],{"href":46},[206,312,313],{},"signMulti","\u002F",[206,316,317],{},"verifyMulti"," and ",[177,320,321,314,324],{"href":69},[206,322,323],{},"encryptMulti",[206,325,326],{},"decryptMulti",[222,328,330],{"id":329},"when-to-sign-vs-encrypt","When to sign vs. encrypt",[332,333,334,347],"table",{},[335,336,337],"thead",{},[338,339,340,344],"tr",{},[341,342,343],"th",{},"If the data is…",[341,345,346],{},"Use…",[348,349,350,360,369,378,387],"tbody",{},[338,351,352,356],{},[353,354,355],"td",{},"Non-sensitive identity data (user id, role)",[353,357,358],{},[177,359,30],{"href":31},[338,361,362,365],{},[353,363,364],{},"Inspectable by the client (preferences, flags)",[353,366,367],{},[177,368,30],{"href":31},[338,370,371,374],{},[353,372,373],{},"Readable by third parties (federated identity)",[353,375,376],{},[177,377,30],{"href":31},[338,379,380,383],{},[353,381,382],{},"Sensitive (tokens, PII, secrets, refresh state)",[353,384,385],{},[177,386,53],{"href":54},[338,388,389,396],{},[353,390,391,392,395],{},"Both confidential ",[192,393,394],{},"and"," provably from you",[353,397,398],{},"Nested JWT (JWS-in-JWE)",[173,400,401],{},"JWS is the default. Encrypt only when the content itself needs to be hidden.",[403,404,405],"tip",{},[173,406,281,407,410,411,413,414,314,417,420],{},[192,408,409],{},"nested JWT"," — signing a payload, then encrypting the resulting JWS — gives you both authenticity and confidentiality. Do it by encrypting a signed token: pass the JWS string as the payload to ",[206,412,216],{}," with ",[206,415,416],{},"typ: \"JWT\"",[206,418,419],{},"cty: \"JWT\""," headers. unjwt doesn't add syntax sugar for this because it's already one line.",[222,422,424],{"id":423},"what-unjwt-gives-you","What unjwt gives you",[173,426,427],{},"For JWS (signed tokens):",[185,429,430,441],{},[188,431,432,209,436,440],{},[177,433,434],{"href":38},[206,435,208],{},[177,437,438],{"href":42},[206,439,212],{}," — compact serialization, the common case.",[188,442,443,209,448,209,453,458],{},[177,444,445],{"href":46},[206,446,447],{},"signMulti()",[177,449,450],{"href":46},[206,451,452],{},"verifyMulti()",[177,454,455],{"href":46},[206,456,457],{},"verifyMultiAll()"," — General JSON Serialization with multiple signers.",[173,460,461],{},"For JWE (encrypted tokens):",[185,463,464,475,488],{},[188,465,466,209,470,474],{},[177,467,468],{"href":61},[206,469,216],{},[177,471,472],{"href":65},[206,473,219],{}," — compact serialization.",[188,476,477,209,482,487],{},[177,478,479],{"href":69},[206,480,481],{},"encryptMulti()",[177,483,484],{"href":69},[206,485,486],{},"decryptMulti()"," — General JSON Serialization with multiple recipients.",[188,489,490,318,493,497],{},[177,491,492],{"href":73},"ECDH-ES",[177,494,496],{"href":495},"\u002Fjwt\u002Fjwe\u002Falgorithms#password-based-pbes2","password-based"," flows as first-class paths.",[173,499,500],{},"Both pages below give you the overview and basic usage; sub-pages go into each function in detail.",[222,502,504],{"id":503},"common-options-both-sides","Common options, both sides",[173,506,507],{},"A few options show up identically on both signing and encryption:",[185,509,510,562,575],{},[188,511,512,517,518,521,522,525,526,529,530,529,533,529,536,529,539,529,542,529,545,529,548,551,552,209,555,209,558,561],{},[192,513,514],{},[206,515,516],{},"expiresIn"," — adds an ",[206,519,520],{},"exp"," claim relative to ",[206,523,524],{},"iat",". Accepts ",[206,527,528],{},"30 \u002F* seconds *\u002F",", ",[206,531,532],{},"\"30s\"",[206,534,535],{},"\"10m\"",[206,537,538],{},"\"2h\"",[206,540,541],{},"\"7D\"",[206,543,544],{},"\"1W\"",[206,546,547],{},"\"3M\"",[206,549,550],{},"\"1Y\""," and the long-form ",[206,553,554],{},"\"7days\"",[206,556,557],{},"\"3months\"",[206,559,560],{},"\"1year\""," (no space between number and unit).",[188,563,564,569,570,314,572,574],{},[192,565,566],{},[206,567,568],{},"currentDate"," — override \"now\" for ",[206,571,524],{},[206,573,520],{}," calculation (useful in tests).",[188,576,577,582,583,529,585,529,587,590,591,314,593,596],{},[192,578,579],{},[206,580,581],{},"protectedHeader"," — extra header parameters (",[206,584,261],{},[206,586,257],{},[206,588,589],{},"cty",", custom fields). ",[206,592,253],{},[206,594,595],{},"enc"," are managed by the library and can't be overridden here.",[173,598,599,600,278],{},"Claim validation is shared too — see ",[177,601,603],{"href":602},"\u002Futilities#validatejwtclaims",[206,604,605],{},"JWTClaimValidationOptions",[222,607,609],{"id":608},"next","Next",[185,611,612,618],{},[188,613,614,617],{},[177,615,616],{"href":31},"JWS →"," — signing and verifying.",[188,619,620,623],{},[177,621,622],{"href":54},"JWE →"," — encrypting and decrypting.",{"title":242,"searchDepth":625,"depth":625,"links":626},2,[627,628,629,630,631],{"id":224,"depth":625,"text":225},{"id":329,"depth":625,"text":330},{"id":423,"depth":625,"text":424},{"id":503,"depth":625,"text":504},{"id":608,"depth":625,"text":609},"md",{"icon":28},{"icon":28},{"title":23,"description":242},"2e-9Ykv_1taTMHqQCByK-mVuasNvhuD27ZqNyphiU14",[638,639],{"title":19,"path":20,"stem":21,"description":242,"children":-1},{"title":30,"path":31,"stem":32,"description":242,"icon":35,"children":-1},1776888557910]