# Examples

> 

Each example is a complete, runnable walkthrough of a pattern you'll encounter in real systems. All code is production-shape (error handling, claim validation, key persistence notes included) — not toy snippets.

## The examples

### [Authentication basics →](/examples/authentication-basics)

Sign a JWT on login, verify it on every protected request. Covers symmetric keys, `expiresIn`, audience/issuer binding, and the minimum viable auth setup.

### [Consuming a JWKS endpoint →](/examples/jwks-endpoint)

Verify tokens issued by a third party (your OAuth provider, Auth0, Okta, Entra, Keycloak, …). Fetch the JWK Set, cache it, and let `verify()` pick the right key by `kid`.

### [Refresh token pattern →](/examples/refresh-token-pattern)

Short-lived JWS access tokens, long-lived JWE refresh tokens. Automatic refresh on access-token expiry via the H3 adapter's `onExpire` hook.

### [End-to-end encryption →](/examples/end-to-end-encryption)

One-to-one and one-to-many E2EE with ECDH-ES. The fan-out (one token per recipient) and shared-ciphertext (one encryption, per-recipient wrapped keys) patterns both covered.

### [Signed receipts →](/examples/signed-receipts)

Multi-signature JWS for notarized documents, quorum approvals, and audit trails. Uses `signMulti` + `verifyMultiAll` with per-signer policy.

## Request an example

Found a pattern you use that isn't here? [Open a discussion](https://github.com/sandros94/unjwt/discussions) with the use case — real-world examples are where this section grows.