[{"data":1,"prerenderedAt":1502},["ShallowReactive",2],{"navigation":3,"-jwt-jwe-decrypting":167,"-jwt-jwe-decrypting-surround":1499},[4,22,78,106,141,148],{"title":5,"path":6,"stem":7,"children":8},"Introduction","\u002Fgetting-started","0.Getting-Started\u002F0.index",[9,10,14,18],{"title":5,"path":6,"stem":7},{"title":11,"path":12,"stem":13},"Installation","\u002Fgetting-started\u002Finstallation","0.Getting-Started\u002F1.installation",{"title":15,"path":16,"stem":17},"Quickstart","\u002Fgetting-started\u002Fquickstart","0.Getting-Started\u002F2.quickstart",{"title":19,"path":20,"stem":21},"Core concepts","\u002Fgetting-started\u002Fcore-concepts","0.Getting-Started\u002F3.core-concepts",{"title":23,"path":24,"stem":25,"children":26,"icon":28},"JWT","\u002Fjwt","1.JWT\u002F0.index",[27,29,52],{"title":23,"path":24,"stem":25,"icon":28},"i-carbon-certificate",{"title":30,"path":31,"stem":32,"children":33,"icon":35},"JWS","\u002Fjwt\u002Fjws","1.JWT\u002F1.JWS\u002F0.index",[34,36,40,44,48],{"title":30,"path":31,"stem":32,"icon":35},"i-carbon-document-signed",{"title":37,"path":38,"stem":39},"Signing","\u002Fjwt\u002Fjws\u002Fsigning","1.JWT\u002F1.JWS\u002F1.signing",{"title":41,"path":42,"stem":43},"Verifying","\u002Fjwt\u002Fjws\u002Fverifying","1.JWT\u002F1.JWS\u002F2.verifying",{"title":45,"path":46,"stem":47},"Multi-signature","\u002Fjwt\u002Fjws\u002Fmulti-signature","1.JWT\u002F1.JWS\u002F3.multi-signature",{"title":49,"path":50,"stem":51},"Algorithms","\u002Fjwt\u002Fjws\u002Falgorithms","1.JWT\u002F1.JWS\u002F4.algorithms",{"title":53,"path":54,"stem":55,"children":56,"icon":58},"JWE","\u002Fjwt\u002Fjwe","1.JWT\u002F2.JWE\u002F0.index",[57,59,63,67,71,75],{"title":53,"path":54,"stem":55,"icon":58},"i-carbon-locked",{"title":60,"path":61,"stem":62},"Encrypting","\u002Fjwt\u002Fjwe\u002Fencrypting","1.JWT\u002F2.JWE\u002F1.encrypting",{"title":64,"path":65,"stem":66},"Decrypting","\u002Fjwt\u002Fjwe\u002Fdecrypting","1.JWT\u002F2.JWE\u002F2.decrypting",{"title":68,"path":69,"stem":70},"Multi-recipient","\u002Fjwt\u002Fjwe\u002Fmulti-recipient","1.JWT\u002F2.JWE\u002F3.multi-recipient",{"title":72,"path":73,"stem":74},"ECDH-ES and end-to-end encryption","\u002Fjwt\u002Fjwe\u002Fecdh-es","1.JWT\u002F2.JWE\u002F4.ecdh-es",{"title":49,"path":76,"stem":77},"\u002Fjwt\u002Fjwe\u002Falgorithms","1.JWT\u002F2.JWE\u002F5.algorithms",{"title":79,"path":80,"stem":81,"children":82,"icon":84},"Examples","\u002Fexamples","10.Examples\u002F0.index",[83,85,90,94,98,102],{"title":79,"path":80,"stem":81,"icon":84},"i-carbon-code-reference",{"title":86,"path":87,"stem":88,"icon":89},"Authentication basics","\u002Fexamples\u002Fauthentication-basics","10.Examples\u002F1.authentication-basics","i-lucide-code",{"title":91,"path":92,"stem":93,"icon":89},"Consuming a JWKS endpoint","\u002Fexamples\u002Fjwks-endpoint","10.Examples\u002F2.jwks-endpoint",{"title":95,"path":96,"stem":97,"icon":89},"Refresh token pattern","\u002Fexamples\u002Frefresh-token-pattern","10.Examples\u002F3.refresh-token-pattern",{"title":99,"path":100,"stem":101,"icon":89},"End-to-end encryption","\u002Fexamples\u002Fend-to-end-encryption","10.Examples\u002F4.end-to-end-encryption",{"title":103,"path":104,"stem":105,"icon":89},"Signed receipts","\u002Fexamples\u002Fsigned-receipts","10.Examples\u002F5.signed-receipts",{"title":107,"path":108,"stem":109,"children":110,"icon":112},"JWK","\u002Fjwk","2.JWK\u002F0.index",[111,113,117,121,125,129,133,137],{"title":107,"path":108,"stem":109,"icon":112},"i-carbon-two-factor-authentication",{"title":114,"path":115,"stem":116},"Generating keys","\u002Fjwk\u002Fgenerating","2.JWK\u002F1.generating",{"title":118,"path":119,"stem":120},"Importing and exporting","\u002Fjwk\u002Fimport-export","2.JWK\u002F2.import-export",{"title":122,"path":123,"stem":124},"PEM conversion","\u002Fjwk\u002Fpem","2.JWK\u002F3.pem",{"title":126,"path":127,"stem":128},"Key wrapping","\u002Fjwk\u002Fwrapping","2.JWK\u002F4.wrapping",{"title":130,"path":131,"stem":132},"Password derivation","\u002Fjwk\u002Fpassword-derivation","2.JWK\u002F5.password-derivation",{"title":134,"path":135,"stem":136},"JWK Sets","\u002Fjwk\u002Fjwk-sets","2.JWK\u002F6.jwk-sets",{"title":138,"path":139,"stem":140},"JWK cache","\u002Fjwk\u002Fcache","2.JWK\u002F7.cache",{"title":142,"path":143,"stem":144,"children":145,"icon":147},"Utilities","\u002Futilities","3.Utilities\u002F0.index",[146],{"title":142,"path":143,"stem":144,"icon":147},"i-carbon-tool-box",{"title":149,"path":150,"stem":151,"children":152,"icon":154},"Adapters","\u002Fadapters","99.Adapters\u002F0.index",[153,155,159,163],{"title":149,"path":150,"stem":151,"icon":154},"i-carbon-plug",{"title":156,"path":157,"stem":158},"H3 sessions","\u002Fadapters\u002Fh3-sessions","99.Adapters\u002F1.h3-sessions",{"title":160,"path":161,"stem":162},"Lifecycle hooks","\u002Fadapters\u002Fhooks","99.Adapters\u002F2.hooks",{"title":164,"path":165,"stem":166},"Lower-level functions","\u002Fadapters\u002Flower-level","99.Adapters\u002F3.lower-level",{"id":168,"title":64,"body":169,"description":178,"extension":1494,"meta":1495,"navigation":1496,"path":65,"seo":1497,"stem":66,"__hash__":1498},"content\u002F1.JWT\u002F2.JWE\u002F2.decrypting.md",{"type":170,"value":171,"toc":1481},"minimark",[172,202,206,211,397,433,440,444,481,505,509,512,538,551,586,589,644,657,661,666,772,782,786,792,826,829,833,847,883,890,950,954,964,1012,1015,1019,1053,1060,1064,1155,1158,1202,1206,1449,1453,1477],[173,174,179],"pre",{"className":175,"code":176,"language":177,"meta":178,"style":178},"language-ts shiki shiki-themes github-light github-dark github-dark","decrypt(token, key, options?)\n","ts","",[180,181,182],"code",{"__ignoreMap":178},[183,184,187,191,195,199],"span",{"class":185,"line":186},"line",1,[183,188,190],{"class":189},"shcOC","decrypt",[183,192,194],{"class":193},"slsVL","(token, key, options",[183,196,198],{"class":197},"so5gQ","?",[183,200,201],{"class":193},")\n",[203,204,205],"p",{},"Parses a compact JWE, validates header allowlists, decrypts the payload, and validates JWT claims (when the decrypted payload is an object).",[207,208,210],"h2",{"id":209},"parameters","Parameters",[212,213,214,227],"table",{},[215,216,217],"thead",{},[218,219,220,224],"tr",{},[221,222,223],"th",{},"Name",[221,225,226],{},"Type",[228,229,230,244,256,272,287,300,312,332,353,371],"tbody",{},[218,231,232,238],{},[233,234,235],"td",{},[180,236,237],{},"token",[233,239,240,243],{},[180,241,242],{},"string"," — the compact JWE",[218,245,246,251],{},[233,247,248],{},[180,249,250],{},"key",[233,252,253],{},[180,254,255],{},"CryptoKey | JWKSet | JWEDecryptJWK | string | Uint8Array | JWKLookupFunction",[218,257,258,263],{},[233,259,260],{},[180,261,262],{},"options.algorithms",[233,264,265,268,269],{},[180,266,267],{},"KeyManagementAlgorithm[]"," — allowlist for ",[180,270,271],{},"alg",[218,273,274,279],{},[233,275,276],{},[180,277,278],{},"options.encryptionAlgorithms",[233,280,281,268,284],{},[180,282,283],{},"ContentEncryptionAlgorithm[]",[180,285,286],{},"enc",[218,288,289,294],{},[233,290,291],{},[180,292,293],{},"options.validateClaims",[233,295,296,299],{},[180,297,298],{},"boolean"," — force-skip claim validation",[218,301,302,307],{},[233,303,304],{},[180,305,306],{},"options.forceUint8Array",[233,308,309,311],{},[180,310,298],{}," — return bytes instead of parsed JSON",[218,313,314,319],{},[233,315,316],{},[180,317,318],{},"options.returnCek",[233,320,321,323,324,327,328,331],{},[180,322,298],{}," — include ",[180,325,326],{},"cek"," and ",[180,329,330],{},"aad"," in the result",[218,333,334,339],{},[233,335,336],{},[180,337,338],{},"options.minIterations",[233,340,341,344,345,348,349,352],{},[180,342,343],{},"number"," — PBES2 ",[180,346,347],{},"p2c"," floor (default ",[180,350,351],{},"1000"," per RFC 7518)",[218,354,355,360],{},[233,356,357],{},[180,358,359],{},"options.maxIterations",[233,361,362,344,364,366,367,370],{},[180,363,343],{},[180,365,347],{}," ceiling (default ",[180,368,369],{},"1_000_000",")",[218,372,373,376],{},[233,374,375],{},"Claim options",[233,377,378,379,382,383,386,387,386,390,386,393,396],{},"Same as ",[180,380,381],{},"verify()"," — ",[180,384,385],{},"audience",", ",[180,388,389],{},"issuer",[180,391,392],{},"subject",[180,394,395],{},"maxTokenAge",", etc.",[203,398,399,402,403,409,410,413,414,416,417,421,422,424,425,428,429,432],{},[180,400,401],{},"JWEDecryptJWK"," is the private-side counterpart of ",[404,405,406],"a",{"href":61},[180,407,408],{},"JWEEncryptJWK"," — an ",[180,411,412],{},"oct"," JWK with a JWE symmetric ",[180,415,271],{},", or a ",[418,419,420],"em",{},"private"," asymmetric JWK whose ",[180,423,271],{}," is RSA-OAEP or ECDH-ES. ",[180,426,427],{},"JWKSet"," stays fully permissive (",[180,430,431],{},"JWK[]","); wire JWKS are heterogeneous and the runtime filters candidates per header.",[203,434,435,436,439],{},"Returns ",[180,437,438],{},"Promise\u003C{ payload, protectedHeader, cek?, aad? }>",".",[207,441,443],{"id":442},"the-simple-case","The simple case",[173,445,447],{"className":175,"code":446,"language":177,"meta":178,"style":178},"const { payload, protectedHeader } = await decrypt(token, key);\n",[180,448,449],{"__ignoreMap":178},[183,450,451,454,457,461,463,466,469,472,475,478],{"class":185,"line":186},[183,452,453],{"class":197},"const",[183,455,456],{"class":193}," { ",[183,458,460],{"class":459},"suiK_","payload",[183,462,386],{"class":193},[183,464,465],{"class":459},"protectedHeader",[183,467,468],{"class":193}," } ",[183,470,471],{"class":197},"=",[183,473,474],{"class":197}," await",[183,476,477],{"class":189}," decrypt",[183,479,480],{"class":193},"(token, key);\n",[203,482,483,484,486,487,490,491,493,494,496,497,500,501,504],{},"If the key is a JWK with an ",[180,485,271],{}," field (as ",[180,488,489],{},"generateJWK()"," produces), unjwt infers the expected ",[180,492,271],{}," and proceeds. For passwords and raw bytes, ",[180,495,271],{}," is inferred when possible (passwords → PBES2 variants; ",[180,498,499],{},"Uint8Array"," → symmetric unwrap or ",[180,502,503],{},"dir",").",[207,506,508],{"id":507},"algorithm-allowlists","Algorithm allowlists",[203,510,511],{},"Two allowlists protect the decryptor:",[513,514,515,528],"ul",{},[516,517,518,524,525,527],"li",{},[519,520,521],"strong",{},[180,522,523],{},"algorithms"," — which key-management (",[180,526,271],{},") values are acceptable.",[516,529,530,535,536,527],{},[519,531,532],{},[180,533,534],{},"encryptionAlgorithms"," — which content-encryption (",[180,537,286],{},[203,539,540,541,547,548,550],{},"When omitted, unjwt calls ",[404,542,544],{"href":543},"\u002Futilities#inferjweallowedalgorithms",[180,545,546],{},"inferJWEAllowedAlgorithms"," to derive an ",[180,549,271],{}," allowlist from the key shape:",[513,552,553,564,573,580],{},[516,554,555,557,558,560,561],{},[180,556,242],{}," \u002F ",[180,559,499],{}," password → ",[180,562,563],{},"[\"PBES2-HS256+A128KW\", \"PBES2-HS384+A192KW\", \"PBES2-HS512+A256KW\", \"dir\"]",[516,565,566,567,569,570],{},"Symmetric JWK with a specific wrap ",[180,568,271],{}," → that alg plus ",[180,571,572],{},"\"dir\"",[516,574,575,576,579],{},"RSA private JWK → the matching ",[180,577,578],{},"RSA-OAEP*"," variants",[516,581,582,583,579],{},"EC\u002FOKP private JWK → the matching ",[180,584,585],{},"ECDH-ES*",[203,587,588],{},"If inference fails (lookup function, ambiguous key), pass explicitly:",[173,590,593],{"className":175,"code":591,"filename":592,"language":177,"meta":178,"style":178},"const { payload } = await decrypt(token, lookupFn, {\n  algorithms: [\"RSA-OAEP-256\"],\n  encryptionAlgorithms: [\"A256GCM\"],\n});\n","explicit-allowlist.ts",[180,594,595,614,627,638],{"__ignoreMap":178},[183,596,597,599,601,603,605,607,609,611],{"class":185,"line":186},[183,598,453],{"class":197},[183,600,456],{"class":193},[183,602,460],{"class":459},[183,604,468],{"class":193},[183,606,471],{"class":197},[183,608,474],{"class":197},[183,610,477],{"class":189},[183,612,613],{"class":193},"(token, lookupFn, {\n",[183,615,617,620,624],{"class":185,"line":616},2,[183,618,619],{"class":193},"  algorithms: [",[183,621,623],{"class":622},"sfrk1","\"RSA-OAEP-256\"",[183,625,626],{"class":193},"],\n",[183,628,630,633,636],{"class":185,"line":629},3,[183,631,632],{"class":193},"  encryptionAlgorithms: [",[183,634,635],{"class":622},"\"A256GCM\"",[183,637,626],{"class":193},[183,639,641],{"class":185,"line":640},4,[183,642,643],{"class":193},"});\n",[645,646,647],"tip",{},[203,648,649,650,652,653,656],{},"Setting ",[180,651,534],{}," is always a good idea — it's the only protection against a malicious token using a weaker-than-intended content cipher. ",[180,654,655],{},"[\"A256GCM\"]"," is a strong default.",[207,658,660],{"id":659},"dynamic-key-resolution","Dynamic key resolution",[203,662,378,663,665],{},[180,664,381],{}," — pass a function that receives the header:",[173,667,670],{"className":175,"code":668,"filename":669,"language":177,"meta":178,"style":178},"const { payload } = await decrypt(\n  token,\n  async (header, _rawToken) => {\n    return await keyStore.get(header.kid!);\n  },\n  { algorithms: [\"ECDH-ES+A256KW\"], encryptionAlgorithms: [\"A256GCM\"] },\n);\n","lookup.ts",[180,671,672,691,696,722,744,750,767],{"__ignoreMap":178},[183,673,674,676,678,680,682,684,686,688],{"class":185,"line":186},[183,675,453],{"class":197},[183,677,456],{"class":193},[183,679,460],{"class":459},[183,681,468],{"class":193},[183,683,471],{"class":197},[183,685,474],{"class":197},[183,687,477],{"class":189},[183,689,690],{"class":193},"(\n",[183,692,693],{"class":185,"line":616},[183,694,695],{"class":193},"  token,\n",[183,697,698,701,704,708,710,713,716,719],{"class":185,"line":629},[183,699,700],{"class":197},"  async",[183,702,703],{"class":193}," (",[183,705,707],{"class":706},"sQHwn","header",[183,709,386],{"class":193},[183,711,712],{"class":706},"_rawToken",[183,714,715],{"class":193},") ",[183,717,718],{"class":197},"=>",[183,720,721],{"class":193}," {\n",[183,723,724,727,729,732,735,738,741],{"class":185,"line":640},[183,725,726],{"class":197},"    return",[183,728,474],{"class":197},[183,730,731],{"class":193}," keyStore.",[183,733,734],{"class":189},"get",[183,736,737],{"class":193},"(header.kid",[183,739,740],{"class":197},"!",[183,742,743],{"class":193},");\n",[183,745,747],{"class":185,"line":746},5,[183,748,749],{"class":193},"  },\n",[183,751,753,756,759,762,764],{"class":185,"line":752},6,[183,754,755],{"class":193},"  { algorithms: [",[183,757,758],{"class":622},"\"ECDH-ES+A256KW\"",[183,760,761],{"class":193},"], encryptionAlgorithms: [",[183,763,635],{"class":622},[183,765,766],{"class":193},"] },\n",[183,768,770],{"class":185,"line":769},7,[183,771,743],{"class":193},[203,773,774,775,778,779,781],{},"A ",[180,776,777],{},"JWKLookupFunction"," can return a single key or a ",[180,780,427],{},"; if it returns a set, the per-kid \u002F per-alg retry logic applies.",[207,783,785],{"id":784},"jwkset-rotation-and-multi-key-decryption","JWKSet — rotation and multi-key decryption",[203,787,788,789,791],{},"When you pass a ",[180,790,427],{}," (directly or returned from a lookup), unjwt selects candidates like it does on the sign side:",[793,794,796,807,819],"steps",{"level":795},"4",[797,798,799,800,803,804,806],"h4",{},"Token's header has ",[180,801,802],{},"kid"," — only keys with that ",[180,805,802],{}," are tried.",[797,808,809,810,812,813,815,816,818],{},"No ",[180,811,802],{}," — all keys whose ",[180,814,271],{}," matches the token's ",[180,817,271],{}," are candidates, tried in order.",[797,820,821,822,825],{},"No candidates — throws ",[180,823,824],{},"ERR_JWK_KEY_NOT_FOUND"," before any crypto runs.",[203,827,828],{},"Useful when you rotate encryption keys: the new key wraps future tokens, but older tokens (wrapped with the previous key) still decrypt because both keys live in the set.",[207,830,832],{"id":831},"pbes2-dos-protection","PBES2 DoS protection",[203,834,835,836,838,839,842,843,846],{},"The PBES2 ",[180,837,347],{}," (iteration count) header field is ",[519,840,841],{},"attacker-controlled"," — a malicious sender could craft a token with ",[180,844,845],{},"p2c: 1_000_000_000"," to burn your CPU on decryption. unjwt guards against this by default:",[173,848,850],{"className":175,"code":849,"language":177,"meta":178,"style":178},"minIterations: 1000; \u002F\u002F RFC 7518 §4.8.1.2 mandated floor\nmaxIterations: 1_000_000; \u002F\u002F sane ceiling\n",[180,851,852,869],{"__ignoreMap":178},[183,853,854,857,860,862,865],{"class":185,"line":186},[183,855,856],{"class":189},"minIterations",[183,858,859],{"class":193},": ",[183,861,351],{"class":459},[183,863,864],{"class":193},"; ",[183,866,868],{"class":867},"sCsY4","\u002F\u002F RFC 7518 §4.8.1.2 mandated floor\n",[183,870,871,874,876,878,880],{"class":185,"line":616},[183,872,873],{"class":189},"maxIterations",[183,875,859],{"class":193},[183,877,369],{"class":459},[183,879,864],{"class":193},[183,881,882],{"class":867},"\u002F\u002F sane ceiling\n",[203,884,885,886,889],{},"Any token outside this range is rejected with ",[180,887,888],{},"ERR_JWE_P2C_OUT_OF_BOUNDS"," before PBKDF2 runs. Override cautiously:",[173,891,893],{"className":175,"code":892,"language":177,"meta":178,"style":178},"const { payload } = await decrypt(token, \"password\", {\n  minIterations: 100_000, \u002F\u002F require at least this many iterations\n  maxIterations: 2_000_000, \u002F\u002F allow stronger-than-default tokens\n});\n",[180,894,895,920,933,946],{"__ignoreMap":178},[183,896,897,899,901,903,905,907,909,911,914,917],{"class":185,"line":186},[183,898,453],{"class":197},[183,900,456],{"class":193},[183,902,460],{"class":459},[183,904,468],{"class":193},[183,906,471],{"class":197},[183,908,474],{"class":197},[183,910,477],{"class":189},[183,912,913],{"class":193},"(token, ",[183,915,916],{"class":622},"\"password\"",[183,918,919],{"class":193},", {\n",[183,921,922,925,928,930],{"class":185,"line":616},[183,923,924],{"class":193},"  minIterations: ",[183,926,927],{"class":459},"100_000",[183,929,386],{"class":193},[183,931,932],{"class":867},"\u002F\u002F require at least this many iterations\n",[183,934,935,938,941,943],{"class":185,"line":629},[183,936,937],{"class":193},"  maxIterations: ",[183,939,940],{"class":459},"2_000_000",[183,942,386],{"class":193},[183,944,945],{"class":867},"\u002F\u002F allow stronger-than-default tokens\n",[183,947,948],{"class":185,"line":640},[183,949,643],{"class":193},[207,951,953],{"id":952},"returning-the-cek","Returning the CEK",[203,955,956,957,959,960,963],{},"For custom verification flows (integrity checks over ",[180,958,330],{},", manual key extraction), pass ",[180,961,962],{},"returnCek: true",":",[173,965,967],{"className":175,"code":966,"language":177,"meta":178,"style":178},"const { payload, cek, aad } = await decrypt(token, key, { returnCek: true });\n\u002F\u002F cek: Uint8Array — the derived Content Encryption Key\n\u002F\u002F aad: Uint8Array — the authenticated additional data (protected header bytes)\n",[180,968,969,1002,1007],{"__ignoreMap":178},[183,970,971,973,975,977,979,981,983,985,987,989,991,993,996,999],{"class":185,"line":186},[183,972,453],{"class":197},[183,974,456],{"class":193},[183,976,460],{"class":459},[183,978,386],{"class":193},[183,980,326],{"class":459},[183,982,386],{"class":193},[183,984,330],{"class":459},[183,986,468],{"class":193},[183,988,471],{"class":197},[183,990,474],{"class":197},[183,992,477],{"class":189},[183,994,995],{"class":193},"(token, key, { returnCek: ",[183,997,998],{"class":459},"true",[183,1000,1001],{"class":193}," });\n",[183,1003,1004],{"class":185,"line":616},[183,1005,1006],{"class":867},"\u002F\u002F cek: Uint8Array — the derived Content Encryption Key\n",[183,1008,1009],{"class":185,"line":629},[183,1010,1011],{"class":867},"\u002F\u002F aad: Uint8Array — the authenticated additional data (protected header bytes)\n",[203,1013,1014],{},"Most callers never need this.",[207,1016,1018],{"id":1017},"claim-validation","Claim validation",[203,1020,1021,1022,1026,1027,386,1030,1033,1034,1037,1038,557,1040,557,1042,557,1044,557,1046,557,1049,1052],{},"Identical to ",[404,1023,1025],{"href":1024},"\u002Fjwt\u002Fjws\u002Fverifying#claim-validation-options","JWS verify",": when the decrypted payload is a JSON object, ",[180,1028,1029],{},"exp",[180,1031,1032],{},"nbf",", and ",[180,1035,1036],{},"iat"," are validated automatically, plus any of ",[180,1039,385],{},[180,1041,389],{},[180,1043,392],{},[180,1045,395],{},[180,1047,1048],{},"requiredClaims",[180,1050,1051],{},"typ"," you pass.",[203,1054,1055,1056,1059],{},"Pass ",[180,1057,1058],{},"validateClaims: false"," to opt out (e.g. when you're decrypting arbitrary bytes rather than claim-bearing JSON).",[207,1061,1063],{"id":1062},"payload-typing","Payload typing",[173,1065,1068],{"className":175,"code":1066,"filename":1067,"language":177,"meta":178,"style":178},"interface Session {\n  userId: string;\n  role: \"admin\" | \"user\";\n}\n\nconst { payload } = await decrypt\u003CSession>(token, key);\npayload.role; \u002F\u002F \"admin\" | \"user\"\n","typed.ts",[180,1069,1070,1080,1093,1111,1116,1122,1147],{"__ignoreMap":178},[183,1071,1072,1075,1078],{"class":185,"line":186},[183,1073,1074],{"class":197},"interface",[183,1076,1077],{"class":189}," Session",[183,1079,721],{"class":193},[183,1081,1082,1085,1087,1090],{"class":185,"line":616},[183,1083,1084],{"class":706},"  userId",[183,1086,963],{"class":197},[183,1088,1089],{"class":459}," string",[183,1091,1092],{"class":193},";\n",[183,1094,1095,1098,1100,1103,1106,1109],{"class":185,"line":629},[183,1096,1097],{"class":706},"  role",[183,1099,963],{"class":197},[183,1101,1102],{"class":622}," \"admin\"",[183,1104,1105],{"class":197}," |",[183,1107,1108],{"class":622}," \"user\"",[183,1110,1092],{"class":193},[183,1112,1113],{"class":185,"line":640},[183,1114,1115],{"class":193},"}\n",[183,1117,1118],{"class":185,"line":746},[183,1119,1121],{"emptyLinePlaceholder":1120},true,"\n",[183,1123,1124,1126,1128,1130,1132,1134,1136,1138,1141,1144],{"class":185,"line":752},[183,1125,453],{"class":197},[183,1127,456],{"class":193},[183,1129,460],{"class":459},[183,1131,468],{"class":193},[183,1133,471],{"class":197},[183,1135,474],{"class":197},[183,1137,477],{"class":189},[183,1139,1140],{"class":193},"\u003C",[183,1142,1143],{"class":189},"Session",[183,1145,1146],{"class":193},">(token, key);\n",[183,1148,1149,1152],{"class":185,"line":769},[183,1150,1151],{"class":193},"payload.role; ",[183,1153,1154],{"class":867},"\u002F\u002F \"admin\" | \"user\"\n",[203,1156,1157],{},"Force bytes:",[173,1159,1161],{"className":175,"code":1160,"language":177,"meta":178,"style":178},"const { payload } = await decrypt(token, key, { forceUint8Array: true });\npayload instanceof Uint8Array; \u002F\u002F true\n",[180,1162,1163,1186],{"__ignoreMap":178},[183,1164,1165,1167,1169,1171,1173,1175,1177,1179,1182,1184],{"class":185,"line":186},[183,1166,453],{"class":197},[183,1168,456],{"class":193},[183,1170,460],{"class":459},[183,1172,468],{"class":193},[183,1174,471],{"class":197},[183,1176,474],{"class":197},[183,1178,477],{"class":189},[183,1180,1181],{"class":193},"(token, key, { forceUint8Array: ",[183,1183,998],{"class":459},[183,1185,1001],{"class":193},[183,1187,1188,1191,1194,1197,1199],{"class":185,"line":616},[183,1189,1190],{"class":193},"payload ",[183,1192,1193],{"class":197},"instanceof",[183,1195,1196],{"class":189}," Uint8Array",[183,1198,864],{"class":193},[183,1200,1201],{"class":867},"\u002F\u002F true\n",[207,1203,1205],{"id":1204},"full-signature","Full signature",[173,1207,1209],{"className":175,"code":1208,"language":177,"meta":178,"style":178},"interface JWEDecryptOptions extends JWTClaimValidationOptions {\n  algorithms?: KeyManagementAlgorithm[];\n  encryptionAlgorithms?: ContentEncryptionAlgorithm[];\n  unwrappedKeyAlgorithm?: Parameters\u003Ctypeof crypto.subtle.importKey>[2];\n  keyUsage?: KeyUsage[];\n  extractable?: boolean;\n  forceUint8Array?: boolean;\n  validateClaims?: boolean;\n  returnCek?: boolean;\n  minIterations?: number;\n  maxIterations?: number;\n}\n\ninterface JWEDecryptResult\u003CT> {\n  payload: T;\n  protectedHeader: JWEProtectedHeader; \u002F\u002F alg and enc required\n  cek?: Uint8Array; \u002F\u002F only when returnCek: true\n  aad?: Uint8Array; \u002F\u002F only when returnCek: true\n}\n",[180,1210,1211,1226,1240,1252,1276,1288,1300,1311,1323,1335,1348,1360,1365,1370,1386,1399,1415,1430,1444],{"__ignoreMap":178},[183,1212,1213,1215,1218,1221,1224],{"class":185,"line":186},[183,1214,1074],{"class":197},[183,1216,1217],{"class":189}," JWEDecryptOptions",[183,1219,1220],{"class":197}," extends",[183,1222,1223],{"class":189}," JWTClaimValidationOptions",[183,1225,721],{"class":193},[183,1227,1228,1231,1234,1237],{"class":185,"line":616},[183,1229,1230],{"class":706},"  algorithms",[183,1232,1233],{"class":197},"?:",[183,1235,1236],{"class":189}," KeyManagementAlgorithm",[183,1238,1239],{"class":193},"[];\n",[183,1241,1242,1245,1247,1250],{"class":185,"line":629},[183,1243,1244],{"class":706},"  encryptionAlgorithms",[183,1246,1233],{"class":197},[183,1248,1249],{"class":189}," ContentEncryptionAlgorithm",[183,1251,1239],{"class":193},[183,1253,1254,1257,1259,1262,1264,1267,1270,1273],{"class":185,"line":640},[183,1255,1256],{"class":706},"  unwrappedKeyAlgorithm",[183,1258,1233],{"class":197},[183,1260,1261],{"class":189}," Parameters",[183,1263,1140],{"class":193},[183,1265,1266],{"class":197},"typeof",[183,1268,1269],{"class":193}," crypto.subtle.importKey>[",[183,1271,1272],{"class":459},"2",[183,1274,1275],{"class":193},"];\n",[183,1277,1278,1281,1283,1286],{"class":185,"line":746},[183,1279,1280],{"class":706},"  keyUsage",[183,1282,1233],{"class":197},[183,1284,1285],{"class":189}," KeyUsage",[183,1287,1239],{"class":193},[183,1289,1290,1293,1295,1298],{"class":185,"line":752},[183,1291,1292],{"class":706},"  extractable",[183,1294,1233],{"class":197},[183,1296,1297],{"class":459}," boolean",[183,1299,1092],{"class":193},[183,1301,1302,1305,1307,1309],{"class":185,"line":769},[183,1303,1304],{"class":706},"  forceUint8Array",[183,1306,1233],{"class":197},[183,1308,1297],{"class":459},[183,1310,1092],{"class":193},[183,1312,1314,1317,1319,1321],{"class":185,"line":1313},8,[183,1315,1316],{"class":706},"  validateClaims",[183,1318,1233],{"class":197},[183,1320,1297],{"class":459},[183,1322,1092],{"class":193},[183,1324,1326,1329,1331,1333],{"class":185,"line":1325},9,[183,1327,1328],{"class":706},"  returnCek",[183,1330,1233],{"class":197},[183,1332,1297],{"class":459},[183,1334,1092],{"class":193},[183,1336,1338,1341,1343,1346],{"class":185,"line":1337},10,[183,1339,1340],{"class":706},"  minIterations",[183,1342,1233],{"class":197},[183,1344,1345],{"class":459}," number",[183,1347,1092],{"class":193},[183,1349,1351,1354,1356,1358],{"class":185,"line":1350},11,[183,1352,1353],{"class":706},"  maxIterations",[183,1355,1233],{"class":197},[183,1357,1345],{"class":459},[183,1359,1092],{"class":193},[183,1361,1363],{"class":185,"line":1362},12,[183,1364,1115],{"class":193},[183,1366,1368],{"class":185,"line":1367},13,[183,1369,1121],{"emptyLinePlaceholder":1120},[183,1371,1373,1375,1378,1380,1383],{"class":185,"line":1372},14,[183,1374,1074],{"class":197},[183,1376,1377],{"class":189}," JWEDecryptResult",[183,1379,1140],{"class":193},[183,1381,1382],{"class":189},"T",[183,1384,1385],{"class":193},"> {\n",[183,1387,1389,1392,1394,1397],{"class":185,"line":1388},15,[183,1390,1391],{"class":706},"  payload",[183,1393,963],{"class":197},[183,1395,1396],{"class":189}," T",[183,1398,1092],{"class":193},[183,1400,1402,1405,1407,1410,1412],{"class":185,"line":1401},16,[183,1403,1404],{"class":706},"  protectedHeader",[183,1406,963],{"class":197},[183,1408,1409],{"class":189}," JWEProtectedHeader",[183,1411,864],{"class":193},[183,1413,1414],{"class":867},"\u002F\u002F alg and enc required\n",[183,1416,1418,1421,1423,1425,1427],{"class":185,"line":1417},17,[183,1419,1420],{"class":706},"  cek",[183,1422,1233],{"class":197},[183,1424,1196],{"class":189},[183,1426,864],{"class":193},[183,1428,1429],{"class":867},"\u002F\u002F only when returnCek: true\n",[183,1431,1433,1436,1438,1440,1442],{"class":185,"line":1432},18,[183,1434,1435],{"class":706},"  aad",[183,1437,1233],{"class":197},[183,1439,1196],{"class":189},[183,1441,864],{"class":193},[183,1443,1429],{"class":867},[183,1445,1447],{"class":185,"line":1446},19,[183,1448,1115],{"class":193},[207,1450,1452],{"id":1451},"see-also","See also",[513,1454,1455,1461,1467],{},[516,1456,1457,1460],{},[404,1458,1459],{"href":61},"Encrypting →"," — the producer side.",[516,1462,1463,1466],{},[404,1464,1465],{"href":69},"Multi-recipient →"," — for General JSON Serialization input.",[516,1468,1469,1472,1473,327,1475,439],{},[404,1470,1471],{"href":76},"Algorithms →"," — picking ",[180,1474,271],{},[180,1476,286],{},[1478,1479,1480],"style",{},"html pre.shiki code .shcOC, html code.shiki .shcOC{--shiki-light:#6F42C1;--shiki-default:#B392F0;--shiki-dark:#B392F0}html pre.shiki code .slsVL, html code.shiki .slsVL{--shiki-light:#24292E;--shiki-default:#E1E4E8;--shiki-dark:#E1E4E8}html pre.shiki code .so5gQ, html code.shiki .so5gQ{--shiki-light:#D73A49;--shiki-default:#F97583;--shiki-dark:#F97583}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .suiK_, html code.shiki .suiK_{--shiki-light:#005CC5;--shiki-default:#79B8FF;--shiki-dark:#79B8FF}html pre.shiki code .sfrk1, html code.shiki .sfrk1{--shiki-light:#032F62;--shiki-default:#9ECBFF;--shiki-dark:#9ECBFF}html pre.shiki code .sQHwn, html code.shiki .sQHwn{--shiki-light:#E36209;--shiki-default:#FFAB70;--shiki-dark:#FFAB70}html pre.shiki code .sCsY4, html code.shiki .sCsY4{--shiki-light:#6A737D;--shiki-default:#6A737D;--shiki-dark:#6A737D}",{"title":178,"searchDepth":616,"depth":616,"links":1482},[1483,1484,1485,1486,1487,1488,1489,1490,1491,1492,1493],{"id":209,"depth":616,"text":210},{"id":442,"depth":616,"text":443},{"id":507,"depth":616,"text":508},{"id":659,"depth":616,"text":660},{"id":784,"depth":616,"text":785},{"id":831,"depth":616,"text":832},{"id":952,"depth":616,"text":953},{"id":1017,"depth":616,"text":1018},{"id":1062,"depth":616,"text":1063},{"id":1204,"depth":616,"text":1205},{"id":1451,"depth":616,"text":1452},"md",{},{},{"title":64,"description":178},"dZ8zIrSJwVhTmCXyawKd6xnGniku2e8fSSYaEWgJ51o",[1500,1501],{"title":60,"path":61,"stem":62,"description":178,"children":-1},{"title":68,"path":69,"stem":70,"description":178,"children":-1},1776888561551]