[{"data":1,"prerenderedAt":1533},["ShallowReactive",2],{"navigation":3,"-jwt-jws-verifying":167,"-jwt-jws-verifying-surround":1530},[4,22,78,106,141,148],{"title":5,"path":6,"stem":7,"children":8},"Introduction","\u002Fgetting-started","0.Getting-Started\u002F0.index",[9,10,14,18],{"title":5,"path":6,"stem":7},{"title":11,"path":12,"stem":13},"Installation","\u002Fgetting-started\u002Finstallation","0.Getting-Started\u002F1.installation",{"title":15,"path":16,"stem":17},"Quickstart","\u002Fgetting-started\u002Fquickstart","0.Getting-Started\u002F2.quickstart",{"title":19,"path":20,"stem":21},"Core concepts","\u002Fgetting-started\u002Fcore-concepts","0.Getting-Started\u002F3.core-concepts",{"title":23,"path":24,"stem":25,"children":26,"icon":28},"JWT","\u002Fjwt","1.JWT\u002F0.index",[27,29,52],{"title":23,"path":24,"stem":25,"icon":28},"i-carbon-certificate",{"title":30,"path":31,"stem":32,"children":33,"icon":35},"JWS","\u002Fjwt\u002Fjws","1.JWT\u002F1.JWS\u002F0.index",[34,36,40,44,48],{"title":30,"path":31,"stem":32,"icon":35},"i-carbon-document-signed",{"title":37,"path":38,"stem":39},"Signing","\u002Fjwt\u002Fjws\u002Fsigning","1.JWT\u002F1.JWS\u002F1.signing",{"title":41,"path":42,"stem":43},"Verifying","\u002Fjwt\u002Fjws\u002Fverifying","1.JWT\u002F1.JWS\u002F2.verifying",{"title":45,"path":46,"stem":47},"Multi-signature","\u002Fjwt\u002Fjws\u002Fmulti-signature","1.JWT\u002F1.JWS\u002F3.multi-signature",{"title":49,"path":50,"stem":51},"Algorithms","\u002Fjwt\u002Fjws\u002Falgorithms","1.JWT\u002F1.JWS\u002F4.algorithms",{"title":53,"path":54,"stem":55,"children":56,"icon":58},"JWE","\u002Fjwt\u002Fjwe","1.JWT\u002F2.JWE\u002F0.index",[57,59,63,67,71,75],{"title":53,"path":54,"stem":55,"icon":58},"i-carbon-locked",{"title":60,"path":61,"stem":62},"Encrypting","\u002Fjwt\u002Fjwe\u002Fencrypting","1.JWT\u002F2.JWE\u002F1.encrypting",{"title":64,"path":65,"stem":66},"Decrypting","\u002Fjwt\u002Fjwe\u002Fdecrypting","1.JWT\u002F2.JWE\u002F2.decrypting",{"title":68,"path":69,"stem":70},"Multi-recipient","\u002Fjwt\u002Fjwe\u002Fmulti-recipient","1.JWT\u002F2.JWE\u002F3.multi-recipient",{"title":72,"path":73,"stem":74},"ECDH-ES and end-to-end encryption","\u002Fjwt\u002Fjwe\u002Fecdh-es","1.JWT\u002F2.JWE\u002F4.ecdh-es",{"title":49,"path":76,"stem":77},"\u002Fjwt\u002Fjwe\u002Falgorithms","1.JWT\u002F2.JWE\u002F5.algorithms",{"title":79,"path":80,"stem":81,"children":82,"icon":84},"Examples","\u002Fexamples","10.Examples\u002F0.index",[83,85,90,94,98,102],{"title":79,"path":80,"stem":81,"icon":84},"i-carbon-code-reference",{"title":86,"path":87,"stem":88,"icon":89},"Authentication basics","\u002Fexamples\u002Fauthentication-basics","10.Examples\u002F1.authentication-basics","i-lucide-code",{"title":91,"path":92,"stem":93,"icon":89},"Consuming a JWKS endpoint","\u002Fexamples\u002Fjwks-endpoint","10.Examples\u002F2.jwks-endpoint",{"title":95,"path":96,"stem":97,"icon":89},"Refresh token pattern","\u002Fexamples\u002Frefresh-token-pattern","10.Examples\u002F3.refresh-token-pattern",{"title":99,"path":100,"stem":101,"icon":89},"End-to-end encryption","\u002Fexamples\u002Fend-to-end-encryption","10.Examples\u002F4.end-to-end-encryption",{"title":103,"path":104,"stem":105,"icon":89},"Signed receipts","\u002Fexamples\u002Fsigned-receipts","10.Examples\u002F5.signed-receipts",{"title":107,"path":108,"stem":109,"children":110,"icon":112},"JWK","\u002Fjwk","2.JWK\u002F0.index",[111,113,117,121,125,129,133,137],{"title":107,"path":108,"stem":109,"icon":112},"i-carbon-two-factor-authentication",{"title":114,"path":115,"stem":116},"Generating keys","\u002Fjwk\u002Fgenerating","2.JWK\u002F1.generating",{"title":118,"path":119,"stem":120},"Importing and exporting","\u002Fjwk\u002Fimport-export","2.JWK\u002F2.import-export",{"title":122,"path":123,"stem":124},"PEM conversion","\u002Fjwk\u002Fpem","2.JWK\u002F3.pem",{"title":126,"path":127,"stem":128},"Key wrapping","\u002Fjwk\u002Fwrapping","2.JWK\u002F4.wrapping",{"title":130,"path":131,"stem":132},"Password derivation","\u002Fjwk\u002Fpassword-derivation","2.JWK\u002F5.password-derivation",{"title":134,"path":135,"stem":136},"JWK Sets","\u002Fjwk\u002Fjwk-sets","2.JWK\u002F6.jwk-sets",{"title":138,"path":139,"stem":140},"JWK cache","\u002Fjwk\u002Fcache","2.JWK\u002F7.cache",{"title":142,"path":143,"stem":144,"children":145,"icon":147},"Utilities","\u002Futilities","3.Utilities\u002F0.index",[146],{"title":142,"path":143,"stem":144,"icon":147},"i-carbon-tool-box",{"title":149,"path":150,"stem":151,"children":152,"icon":154},"Adapters","\u002Fadapters","99.Adapters\u002F0.index",[153,155,159,163],{"title":149,"path":150,"stem":151,"icon":154},"i-carbon-plug",{"title":156,"path":157,"stem":158},"H3 sessions","\u002Fadapters\u002Fh3-sessions","99.Adapters\u002F1.h3-sessions",{"title":160,"path":161,"stem":162},"Lifecycle hooks","\u002Fadapters\u002Fhooks","99.Adapters\u002F2.hooks",{"title":164,"path":165,"stem":166},"Lower-level functions","\u002Fadapters\u002Flower-level","99.Adapters\u002F3.lower-level",{"id":168,"title":41,"body":169,"description":178,"extension":1525,"meta":1526,"navigation":1527,"path":42,"seo":1528,"stem":43,"__hash__":1529},"content\u002F1.JWT\u002F1.JWS\u002F2.verifying.md",{"type":170,"value":171,"toc":1512},"minimark",[172,202,210,215,333,362,368,372,409,422,445,452,459,571,574,599,619,632,636,647,685,812,819,823,858,872,899,905,952,976,980,990,1115,1121,1155,1159,1162,1263,1266,1312,1316,1340,1370,1374,1484,1488,1508],[173,174,179],"pre",{"className":175,"code":176,"language":177,"meta":178,"style":178},"language-ts shiki shiki-themes github-light github-dark github-dark","verify(token, key, options?)\n","ts","",[180,181,182],"code",{"__ignoreMap":178},[183,184,187,191,195,199],"span",{"class":185,"line":186},"line",1,[183,188,190],{"class":189},"shcOC","verify",[183,192,194],{"class":193},"slsVL","(token, key, options",[183,196,198],{"class":197},"so5gQ","?",[183,200,201],{"class":193},")\n",[203,204,205,206,209],"p",{},"Checks a compact JWS, validates its claims (when the payload is an object), and returns ",[180,207,208],{},"{ payload, protectedHeader }",".",[211,212,214],"h2",{"id":213},"parameters","Parameters",[216,217,218,231],"table",{},[219,220,221],"thead",{},[222,223,224,228],"tr",{},[225,226,227],"th",{},"Name",[225,229,230],{},"Type",[232,233,234,248,260,273,286,298],"tbody",{},[222,235,236,242],{},[237,238,239],"td",{},[180,240,241],{},"token",[237,243,244,247],{},[180,245,246],{},"string"," — the compact JWS",[222,249,250,255],{},[237,251,252],{},[180,253,254],{},"key",[237,256,257],{},[180,258,259],{},"CryptoKey | JWKSet | JWSVerifyJWK | Uint8Array | JWKLookupFunction",[222,261,262,267],{},[237,263,264],{},[180,265,266],{},"options.algorithms",[237,268,269,272],{},[180,270,271],{},"JWSAlgorithm[]"," — allowlist",[222,274,275,280],{},[237,276,277],{},[180,278,279],{},"options.validateClaims",[237,281,282,285],{},[180,283,284],{},"boolean"," — force-skip claim validation",[222,287,288,293],{},[237,289,290],{},[180,291,292],{},"options.forceUint8Array",[237,294,295,297],{},[180,296,284],{}," — always return payload as bytes",[222,299,300,303],{},[237,301,302],{},"Claim options",[237,304,305,308,309,308,312,308,315,308,318,308,321,308,324,308,327,308,330],{},[180,306,307],{},"audience",", ",[180,310,311],{},"issuer",[180,313,314],{},"subject",[180,316,317],{},"maxTokenAge",[180,319,320],{},"clockTolerance",[180,322,323],{},"typ",[180,325,326],{},"currentDate",[180,328,329],{},"requiredClaims",[180,331,332],{},"recognizedHeaders",[203,334,335,338,339,345,346,349,350,353,354,357,358,361],{},[180,336,337],{},"JWSVerifyJWK"," is the public counterpart of ",[340,341,342],"a",{"href":38},[180,343,344],{},"JWSSignJWK"," — ",[180,347,348],{},"JWK_oct\u003CJWK_HMAC>"," or a public asymmetric JWK with a signing ",[180,351,352],{},"alg",". ",[180,355,356],{},"JWKSet"," stays fully permissive (",[180,359,360],{},"JWK[]","); wire JWKS are heterogeneous and the runtime filters candidates per header.",[203,363,364,365,209],{},"Returns ",[180,366,367],{},"Promise\u003C{ payload: T, protectedHeader: JWSProtectedHeader }>",[211,369,371],{"id":370},"the-simple-case","The simple case",[173,373,375],{"className":175,"code":374,"language":177,"meta":178,"style":178},"const { payload, protectedHeader } = await verify(token, key);\n",[180,376,377],{"__ignoreMap":178},[183,378,379,382,385,389,391,394,397,400,403,406],{"class":185,"line":186},[183,380,381],{"class":197},"const",[183,383,384],{"class":193}," { ",[183,386,388],{"class":387},"suiK_","payload",[183,390,308],{"class":193},[183,392,393],{"class":387},"protectedHeader",[183,395,396],{"class":193}," } ",[183,398,399],{"class":197},"=",[183,401,402],{"class":197}," await",[183,404,405],{"class":189}," verify",[183,407,408],{"class":193},"(token, key);\n",[203,410,411,412,414,415,417,418,421],{},"If ",[180,413,254],{}," is a JWK with an ",[180,416,352],{}," field (as every key produced by ",[180,419,420],{},"generateJWK()"," is), unjwt:",[423,424,426,430,436,439,442],"steps",{"level":425},"4",[427,428,429],"h4",{},"decodes the protected header,",[427,431,432,433,435],{},"checks the token's ",[180,434,352],{}," is in the allowlist inferred from the key,",[427,437,438],{},"verifies the signature,",[427,440,441],{},"parses the payload,",[427,443,444],{},"runs claim validation if the payload is a JSON object.",[211,446,448,449],{"id":447},"dynamic-key-resolution-jwklookupfunction","Dynamic key resolution — ",[180,450,451],{},"JWKLookupFunction",[203,453,454,455,458],{},"For OIDC\u002FOAuth providers or anywhere the verifier picks a key based on the token's ",[180,456,457],{},"kid",", pass a lookup function:",[173,460,463],{"className":175,"code":461,"filename":462,"language":177,"meta":178,"style":178},"const { payload } = await verify(\n  token,\n  async (header, _rawToken) => {\n    \u002F\u002F fetch the JWK for the given kid — typically from a cache or a JWKS endpoint\n    return await fetchKeyByKid(header.kid!);\n  },\n  { algorithms: [\"RS256\"] }, \u002F\u002F required — the function returns unknowable shapes\n);\n","lookup.ts",[180,464,465,484,490,517,524,544,550,566],{"__ignoreMap":178},[183,466,467,469,471,473,475,477,479,481],{"class":185,"line":186},[183,468,381],{"class":197},[183,470,384],{"class":193},[183,472,388],{"class":387},[183,474,396],{"class":193},[183,476,399],{"class":197},[183,478,402],{"class":197},[183,480,405],{"class":189},[183,482,483],{"class":193},"(\n",[183,485,487],{"class":185,"line":486},2,[183,488,489],{"class":193},"  token,\n",[183,491,493,496,499,503,505,508,511,514],{"class":185,"line":492},3,[183,494,495],{"class":197},"  async",[183,497,498],{"class":193}," (",[183,500,502],{"class":501},"sQHwn","header",[183,504,308],{"class":193},[183,506,507],{"class":501},"_rawToken",[183,509,510],{"class":193},") ",[183,512,513],{"class":197},"=>",[183,515,516],{"class":193}," {\n",[183,518,520],{"class":185,"line":519},4,[183,521,523],{"class":522},"sCsY4","    \u002F\u002F fetch the JWK for the given kid — typically from a cache or a JWKS endpoint\n",[183,525,527,530,532,535,538,541],{"class":185,"line":526},5,[183,528,529],{"class":197},"    return",[183,531,402],{"class":197},[183,533,534],{"class":189}," fetchKeyByKid",[183,536,537],{"class":193},"(header.kid",[183,539,540],{"class":197},"!",[183,542,543],{"class":193},");\n",[183,545,547],{"class":185,"line":546},6,[183,548,549],{"class":193},"  },\n",[183,551,553,556,560,563],{"class":185,"line":552},7,[183,554,555],{"class":193},"  { algorithms: [",[183,557,559],{"class":558},"sfrk1","\"RS256\"",[183,561,562],{"class":193},"] }, ",[183,564,565],{"class":522},"\u002F\u002F required — the function returns unknowable shapes\n",[183,567,569],{"class":185,"line":568},8,[183,570,543],{"class":193},[203,572,573],{},"The lookup function receives:",[575,576,577,593],"ul",{},[578,579,580,582,583,308,585,308,587,308,589,592],"li",{},[180,581,502],{}," — the protected header (",[180,584,457],{},[180,586,352],{},[180,588,323],{},[180,590,591],{},"crit",", and any custom fields).",[578,594,595,598],{},[180,596,597],{},"rawToken"," — the original token string (useful for structured logging).",[203,600,601,602,308,604,308,606,308,609,612,613,615,616,618],{},"It can return any of: ",[180,603,107],{},[180,605,356],{},[180,607,608],{},"CryptoKey",[180,610,611],{},"Uint8Array",", or a ",[180,614,246],{},". A ",[180,617,246],{}," return is meaningful for JWE (PBES2 password); for JWS it's UTF-8 encoded and used as a raw symmetric key. Async is allowed.",[620,621,622],"tip",{},[203,623,624,625,628,629,631],{},"Always pass ",[180,626,627],{},"algorithms"," explicitly when using a lookup function — the library can't infer an allowlist from a function's return type. Leaving it out means no default guard against ",[180,630,352],{}," confusion attacks.",[211,633,635],{"id":634},"jwkset-automatic-key-rotation","JWKSet — automatic key rotation",[203,637,638,639,642,643,646],{},"A ",[640,641,356],"strong",{}," is any object with a ",[180,644,645],{},"keys: JWK[]"," array. When you pass a set — directly, or returned from a lookup function — unjwt selects candidate keys like this:",[423,648,649,660,671],{"level":425},[427,650,651,656,657,659],{},[640,652,653,654],{},"Token has a ",[180,655,457],{}," — only keys in the set with that exact ",[180,658,457],{}," are candidates. Typically one key, no retry.",[427,661,662,667,668,670],{},[640,663,664,665],{},"Token has no ",[180,666,457],{}," — every key whose ",[180,669,352],{}," field matches the token is a candidate, tried in order until one succeeds.",[427,672,673,676,677,680,681,684],{},[640,674,675],{},"No candidates at all"," — throws ",[180,678,679],{},"JWTError(\"ERR_JWK_KEY_NOT_FOUND\")"," ",[640,682,683],{},"before"," any crypto attempt.",[173,686,689],{"className":175,"code":687,"filename":688,"language":177,"meta":178,"style":178},"const jwks = await fetch(\"https:\u002F\u002Fauth.example.com\u002F.well-known\u002Fjwks.json\").then((r) => r.json());\n\n\u002F\u002F With kid: O(1) selection\nconst { payload } = await verify(tokenFromProvider, jwks);\n\n\u002F\u002F Rotating set, no kid yet on old tokens — all compatible keys are tried\nconst rotatingSet = { keys: [newKey, legacyKey] };\nconst { payload: p } = await verify(oldToken, rotatingSet);\n","jwks-endpoint.ts",[180,690,691,737,743,748,767,771,776,788],{"__ignoreMap":178},[183,692,693,695,698,701,703,706,709,712,715,718,721,724,726,728,731,734],{"class":185,"line":186},[183,694,381],{"class":197},[183,696,697],{"class":387}," jwks",[183,699,700],{"class":197}," =",[183,702,402],{"class":197},[183,704,705],{"class":189}," fetch",[183,707,708],{"class":193},"(",[183,710,711],{"class":558},"\"https:\u002F\u002Fauth.example.com\u002F.well-known\u002Fjwks.json\"",[183,713,714],{"class":193},").",[183,716,717],{"class":189},"then",[183,719,720],{"class":193},"((",[183,722,723],{"class":501},"r",[183,725,510],{"class":193},[183,727,513],{"class":197},[183,729,730],{"class":193}," r.",[183,732,733],{"class":189},"json",[183,735,736],{"class":193},"());\n",[183,738,739],{"class":185,"line":486},[183,740,742],{"emptyLinePlaceholder":741},true,"\n",[183,744,745],{"class":185,"line":492},[183,746,747],{"class":522},"\u002F\u002F With kid: O(1) selection\n",[183,749,750,752,754,756,758,760,762,764],{"class":185,"line":519},[183,751,381],{"class":197},[183,753,384],{"class":193},[183,755,388],{"class":387},[183,757,396],{"class":193},[183,759,399],{"class":197},[183,761,402],{"class":197},[183,763,405],{"class":189},[183,765,766],{"class":193},"(tokenFromProvider, jwks);\n",[183,768,769],{"class":185,"line":526},[183,770,742],{"emptyLinePlaceholder":741},[183,772,773],{"class":185,"line":546},[183,774,775],{"class":522},"\u002F\u002F Rotating set, no kid yet on old tokens — all compatible keys are tried\n",[183,777,778,780,783,785],{"class":185,"line":552},[183,779,381],{"class":197},[183,781,782],{"class":387}," rotatingSet",[183,784,700],{"class":197},[183,786,787],{"class":193}," { keys: [newKey, legacyKey] };\n",[183,789,790,792,794,796,799,801,803,805,807,809],{"class":185,"line":568},[183,791,381],{"class":197},[183,793,384],{"class":193},[183,795,388],{"class":501},[183,797,798],{"class":193},": ",[183,800,203],{"class":387},[183,802,396],{"class":193},[183,804,399],{"class":197},[183,806,402],{"class":197},[183,808,405],{"class":189},[183,810,811],{"class":193},"(oldToken, rotatingSet);\n",[203,813,814,815,818],{},"This is how transparent key rotation works without any retry code in userland. See the ",[340,816,817],{"href":92},"JWKS endpoint example"," for a full walkthrough.",[211,820,822],{"id":821},"algorithm-allowlist","Algorithm allowlist",[203,824,825,827,828,830,831,834,835,841,842,845,846,849,850,853,854,857],{},[180,826,266],{}," constrains which ",[180,829,352],{}," values are acceptable. Omitting it is ",[640,832,833],{},"safe when the key has metadata"," — unjwt calls ",[340,836,838],{"href":837},"\u002Futilities#inferjwsallowedalgorithms",[180,839,840],{},"inferJWSAllowedAlgorithms"," to derive a narrow allowlist from the key shape (a key with ",[180,843,844],{},"alg: \"HS256\""," yields ",[180,847,848],{},"[\"HS256\"]",", an RSA public key yields both ",[180,851,852],{},"RS*"," and ",[180,855,856],{},"PS*"," variants).",[203,859,860,861,864,865,867,868,871],{},"When inference is impossible, unjwt throws ",[180,862,863],{},"ERR_JWS_ALG_NOT_ALLOWED"," (\"Cannot infer allowed algorithms from this key; pass ",[180,866,266],{}," explicitly.\") before attempting verification. Inference returns ",[180,869,870],{},"undefined"," for:",[575,873,874,880,896],{},[578,875,876,877,879],{},"Raw ",[180,878,611],{}," keys.",[578,881,882,883,885,886,889,890,893,894,714],{},"JWKs without an ",[180,884,352],{}," field (and whose ",[180,887,888],{},"kty","\u002F",[180,891,892],{},"crv"," doesn't unambiguously pin the signing alg — e.g. an RSA JWK without ",[180,895,352],{},[578,897,898],{},"Lookup functions that resolve to such shapes.",[203,900,901,902,904],{},"For these cases, pass ",[180,903,627],{}," explicitly:",[173,906,908],{"className":175,"code":907,"language":177,"meta":178,"style":178},"const { payload } = await verify(token, lookupFn, {\n  algorithms: [\"RS256\", \"PS256\"], \u002F\u002F only these will be considered\n});\n",[180,909,910,929,947],{"__ignoreMap":178},[183,911,912,914,916,918,920,922,924,926],{"class":185,"line":186},[183,913,381],{"class":197},[183,915,384],{"class":193},[183,917,388],{"class":387},[183,919,396],{"class":193},[183,921,399],{"class":197},[183,923,402],{"class":197},[183,925,405],{"class":189},[183,927,928],{"class":193},"(token, lookupFn, {\n",[183,930,931,934,936,938,941,944],{"class":185,"line":486},[183,932,933],{"class":193},"  algorithms: [",[183,935,559],{"class":558},[183,937,308],{"class":193},[183,939,940],{"class":558},"\"PS256\"",[183,942,943],{"class":193},"], ",[183,945,946],{"class":522},"\u002F\u002F only these will be considered\n",[183,948,949],{"class":185,"line":492},[183,950,951],{"class":193},"});\n",[953,954,955],"warning",{},[203,956,957,964,965,968,969,853,972,975],{},[640,958,959,960,963],{},"The \"",[180,961,962],{},"alg: none","\" attack"," — a classic JWT pitfall. unjwt rejects ",[180,966,967],{},"alg: \"none\""," outright, but an overly permissive allowlist (e.g. accepting both ",[180,970,971],{},"HS256",[180,973,974],{},"RS256"," against a key that could be interpreted either way) opens the door to other confusion attacks. Keep the allowlist as narrow as the key allows.",[211,977,979],{"id":978},"claim-validation-options","Claim validation options",[203,981,982,983,989],{},"These all come from the shared ",[340,984,986],{"href":985},"\u002Futilities#validatejwtclaims",[180,987,988],{},"JWTClaimValidationOptions"," interface:",[216,991,992,1002],{},[219,993,994],{},[222,995,996,999],{},[225,997,998],{},"Option",[225,1000,1001],{},"Effect",[232,1003,1004,1016,1028,1040,1054,1075,1086,1095,1104],{},[222,1005,1006,1010],{},[237,1007,1008],{},[180,1009,307],{},[237,1011,1012,1013,209],{},"Must match (or be included in) the token's ",[180,1014,1015],{},"aud",[222,1017,1018,1022],{},[237,1019,1020],{},[180,1021,311],{},[237,1023,1024,1025,209],{},"Must match (or be one of) the token's ",[180,1026,1027],{},"iss",[222,1029,1030,1034],{},[237,1031,1032],{},[180,1033,314],{},[237,1035,1036,1037,209],{},"Must match the token's ",[180,1038,1039],{},"sub",[222,1041,1042,1046],{},[237,1043,1044],{},[180,1045,317],{},[237,1047,1048,1051,1052,209],{},[180,1049,1050],{},"iat"," must be within this duration of ",[180,1053,326],{},[222,1055,1056,1060],{},[237,1057,1058],{},[180,1059,320],{},[237,1061,1062,1063,889,1066,889,1069,1071,1072,209],{},"Seconds of slack for ",[180,1064,1065],{},"exp",[180,1067,1068],{},"nbf",[180,1070,1050],{}," comparisons. Defaults to ",[180,1073,1074],{},"0",[222,1076,1077,1081],{},[237,1078,1079],{},[180,1080,323],{},[237,1082,1036,1083,1085],{},[180,1084,323],{}," header.",[222,1087,1088,1092],{},[237,1089,1090],{},[180,1091,329],{},[237,1093,1094],{},"Array of claim names that must be present.",[222,1096,1097,1101],{},[237,1098,1099],{},[180,1100,326],{},[237,1102,1103],{},"Override \"now\" for comparisons.",[222,1105,1106,1110],{},[237,1107,1108],{},[180,1109,332],{},[237,1111,1112,1113,714],{},"Critical-header allowlist (for RFC 7515 §4.1.11 ",[180,1114,591],{},[203,1116,1117,1120],{},[180,1118,1119],{},"validateClaims"," has three states:",[575,1122,1123,1133,1147],{},[578,1124,1125,1129,1130,1132],{},[640,1126,1127],{},[180,1128,870],{}," (default) — validate whenever the decoded payload is a plain JSON object (independent of the ",[180,1131,323],{}," header).",[578,1134,1135,1140,1141,1143,1144,1146],{},[640,1136,1137],{},[180,1138,1139],{},"true"," — always validate claims. Same practical effect as ",[180,1142,870],{}," here, since non-object payloads (",[180,1145,611],{},", forced-bytes) still skip validation.",[578,1148,1149,1154],{},[640,1150,1151],{},[180,1152,1153],{},"false"," — skip validation entirely (useful when signing arbitrary bytes).",[211,1156,1158],{"id":1157},"payload-typing","Payload typing",[203,1160,1161],{},"Pass a generic to get a typed payload:",[173,1163,1166],{"className":175,"code":1164,"filename":1165,"language":177,"meta":178,"style":178},"interface MyClaims {\n  sub: string;\n  role: \"admin\" | \"user\";\n  org: string;\n}\n\nconst { payload } = await verify\u003CMyClaims>(token, key);\npayload.role; \u002F\u002F \"admin\" | \"user\"\n","typed.ts",[180,1167,1168,1178,1192,1210,1221,1226,1230,1255],{"__ignoreMap":178},[183,1169,1170,1173,1176],{"class":185,"line":186},[183,1171,1172],{"class":197},"interface",[183,1174,1175],{"class":189}," MyClaims",[183,1177,516],{"class":193},[183,1179,1180,1183,1186,1189],{"class":185,"line":486},[183,1181,1182],{"class":501},"  sub",[183,1184,1185],{"class":197},":",[183,1187,1188],{"class":387}," string",[183,1190,1191],{"class":193},";\n",[183,1193,1194,1197,1199,1202,1205,1208],{"class":185,"line":492},[183,1195,1196],{"class":501},"  role",[183,1198,1185],{"class":197},[183,1200,1201],{"class":558}," \"admin\"",[183,1203,1204],{"class":197}," |",[183,1206,1207],{"class":558}," \"user\"",[183,1209,1191],{"class":193},[183,1211,1212,1215,1217,1219],{"class":185,"line":519},[183,1213,1214],{"class":501},"  org",[183,1216,1185],{"class":197},[183,1218,1188],{"class":387},[183,1220,1191],{"class":193},[183,1222,1223],{"class":185,"line":526},[183,1224,1225],{"class":193},"}\n",[183,1227,1228],{"class":185,"line":546},[183,1229,742],{"emptyLinePlaceholder":741},[183,1231,1232,1234,1236,1238,1240,1242,1244,1246,1249,1252],{"class":185,"line":552},[183,1233,381],{"class":197},[183,1235,384],{"class":193},[183,1237,388],{"class":387},[183,1239,396],{"class":193},[183,1241,399],{"class":197},[183,1243,402],{"class":197},[183,1245,405],{"class":189},[183,1247,1248],{"class":193},"\u003C",[183,1250,1251],{"class":189},"MyClaims",[183,1253,1254],{"class":193},">(token, key);\n",[183,1256,1257,1260],{"class":185,"line":568},[183,1258,1259],{"class":193},"payload.role; ",[183,1261,1262],{"class":522},"\u002F\u002F \"admin\" | \"user\"\n",[203,1264,1265],{},"Or return bytes directly:",[173,1267,1269],{"className":175,"code":1268,"language":177,"meta":178,"style":178},"const { payload } = await verify(token, key, { forceUint8Array: true });\npayload instanceof Uint8Array; \u002F\u002F true\n",[180,1270,1271,1295],{"__ignoreMap":178},[183,1272,1273,1275,1277,1279,1281,1283,1285,1287,1290,1292],{"class":185,"line":186},[183,1274,381],{"class":197},[183,1276,384],{"class":193},[183,1278,388],{"class":387},[183,1280,396],{"class":193},[183,1282,399],{"class":197},[183,1284,402],{"class":197},[183,1286,405],{"class":189},[183,1288,1289],{"class":193},"(token, key, { forceUint8Array: ",[183,1291,1139],{"class":387},[183,1293,1294],{"class":193}," });\n",[183,1296,1297,1300,1303,1306,1309],{"class":185,"line":486},[183,1298,1299],{"class":193},"payload ",[183,1301,1302],{"class":197},"instanceof",[183,1304,1305],{"class":189}," Uint8Array",[183,1307,1308],{"class":193},"; ",[183,1310,1311],{"class":522},"\u002F\u002F true\n",[211,1313,1315],{"id":1314},"critical-header-handling","Critical header handling",[203,1317,1318,1319,1321,1322,1328,1329,1332,1333,1335,1336,1339],{},"Headers listed in the token's ",[180,1320,591],{}," field must be understood by the verifier, per ",[340,1323,1327],{"href":1324,"rel":1325},"https:\u002F\u002Fwww.rfc-editor.org\u002Frfc\u002Frfc7515#section-4.1.11",[1326],"nofollow","RFC 7515 §4.1.11",". unjwt recognizes ",[180,1330,1331],{},"b64"," natively; anything else in ",[180,1334,591],{}," must be listed in ",[180,1337,1338],{},"options.recognizedHeaders"," or verification fails:",[173,1341,1343],{"className":175,"code":1342,"language":177,"meta":178,"style":178},"await verify(token, key, {\n  recognizedHeaders: [\"my-custom-crit-header\"],\n});\n",[180,1344,1345,1355,1366],{"__ignoreMap":178},[183,1346,1347,1350,1352],{"class":185,"line":186},[183,1348,1349],{"class":197},"await",[183,1351,405],{"class":189},[183,1353,1354],{"class":193},"(token, key, {\n",[183,1356,1357,1360,1363],{"class":185,"line":486},[183,1358,1359],{"class":193},"  recognizedHeaders: [",[183,1361,1362],{"class":558},"\"my-custom-crit-header\"",[183,1364,1365],{"class":193},"],\n",[183,1367,1368],{"class":185,"line":492},[183,1369,951],{"class":193},[211,1371,1373],{"id":1372},"full-signature","Full signature",[173,1375,1377],{"className":175,"code":1376,"language":177,"meta":178,"style":178},"interface JWSVerifyOptions extends JWTClaimValidationOptions {\n  algorithms?: JWSAlgorithm[];\n  forceUint8Array?: boolean;\n  validateClaims?: boolean;\n}\n\ninterface JWSVerifyResult\u003CT> {\n  payload: T;\n  protectedHeader: JWSProtectedHeader;\n}\n",[180,1378,1379,1394,1408,1420,1431,1435,1439,1454,1466,1479],{"__ignoreMap":178},[183,1380,1381,1383,1386,1389,1392],{"class":185,"line":186},[183,1382,1172],{"class":197},[183,1384,1385],{"class":189}," JWSVerifyOptions",[183,1387,1388],{"class":197}," extends",[183,1390,1391],{"class":189}," JWTClaimValidationOptions",[183,1393,516],{"class":193},[183,1395,1396,1399,1402,1405],{"class":185,"line":486},[183,1397,1398],{"class":501},"  algorithms",[183,1400,1401],{"class":197},"?:",[183,1403,1404],{"class":189}," JWSAlgorithm",[183,1406,1407],{"class":193},"[];\n",[183,1409,1410,1413,1415,1418],{"class":185,"line":492},[183,1411,1412],{"class":501},"  forceUint8Array",[183,1414,1401],{"class":197},[183,1416,1417],{"class":387}," boolean",[183,1419,1191],{"class":193},[183,1421,1422,1425,1427,1429],{"class":185,"line":519},[183,1423,1424],{"class":501},"  validateClaims",[183,1426,1401],{"class":197},[183,1428,1417],{"class":387},[183,1430,1191],{"class":193},[183,1432,1433],{"class":185,"line":526},[183,1434,1225],{"class":193},[183,1436,1437],{"class":185,"line":546},[183,1438,742],{"emptyLinePlaceholder":741},[183,1440,1441,1443,1446,1448,1451],{"class":185,"line":552},[183,1442,1172],{"class":197},[183,1444,1445],{"class":189}," JWSVerifyResult",[183,1447,1248],{"class":193},[183,1449,1450],{"class":189},"T",[183,1452,1453],{"class":193},"> {\n",[183,1455,1456,1459,1461,1464],{"class":185,"line":568},[183,1457,1458],{"class":501},"  payload",[183,1460,1185],{"class":197},[183,1462,1463],{"class":189}," T",[183,1465,1191],{"class":193},[183,1467,1469,1472,1474,1477],{"class":185,"line":1468},9,[183,1470,1471],{"class":501},"  protectedHeader",[183,1473,1185],{"class":197},[183,1475,1476],{"class":189}," JWSProtectedHeader",[183,1478,1191],{"class":193},[183,1480,1482],{"class":185,"line":1481},10,[183,1483,1225],{"class":193},[211,1485,1487],{"id":1486},"see-also","See also",[575,1489,1490,1496,1502],{},[578,1491,1492,1495],{},[340,1493,1494],{"href":38},"Signing →"," — the producer side.",[578,1497,1498,1501],{},[340,1499,1500],{"href":46},"Multi-signature →"," — verifying multiple signatures at once.",[578,1503,1504,1507],{},[340,1505,1506],{"href":135},"JWK Sets →"," — managing multiple keys.",[1509,1510,1511],"style",{},"html pre.shiki code .shcOC, html code.shiki .shcOC{--shiki-light:#6F42C1;--shiki-default:#B392F0;--shiki-dark:#B392F0}html pre.shiki code .slsVL, html code.shiki .slsVL{--shiki-light:#24292E;--shiki-default:#E1E4E8;--shiki-dark:#E1E4E8}html pre.shiki code .so5gQ, html code.shiki .so5gQ{--shiki-light:#D73A49;--shiki-default:#F97583;--shiki-dark:#F97583}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .suiK_, html code.shiki .suiK_{--shiki-light:#005CC5;--shiki-default:#79B8FF;--shiki-dark:#79B8FF}html pre.shiki code .sQHwn, html code.shiki .sQHwn{--shiki-light:#E36209;--shiki-default:#FFAB70;--shiki-dark:#FFAB70}html pre.shiki code .sCsY4, html code.shiki .sCsY4{--shiki-light:#6A737D;--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .sfrk1, html code.shiki .sfrk1{--shiki-light:#032F62;--shiki-default:#9ECBFF;--shiki-dark:#9ECBFF}",{"title":178,"searchDepth":486,"depth":486,"links":1513},[1514,1515,1516,1518,1519,1520,1521,1522,1523,1524],{"id":213,"depth":486,"text":214},{"id":370,"depth":486,"text":371},{"id":447,"depth":486,"text":1517},"Dynamic key resolution — JWKLookupFunction",{"id":634,"depth":486,"text":635},{"id":821,"depth":486,"text":822},{"id":978,"depth":486,"text":979},{"id":1157,"depth":486,"text":1158},{"id":1314,"depth":486,"text":1315},{"id":1372,"depth":486,"text":1373},{"id":1486,"depth":486,"text":1487},"md",{},{},{"title":41,"description":178},"JWtSII4VVRenc7YClh9KVgMCEUTZCTYawYSoDLKbv_g",[1531,1532],{"title":37,"path":38,"stem":39,"description":178,"children":-1},{"title":45,"path":46,"stem":47,"description":178,"children":-1},1776888561334]