@radzor/jwt-auth
Create and verify JWT tokens using HMAC-SHA256/384/512 with no external dependencies. Sign tokens with custom claims and expiration, verify signatures, decode without verification, and refresh expiring tokens.
Securityv0.1.0typescriptpythonServerjwtauthtokenauthenticationsecurityhmacby Radzor
Install
View source on GitHub →$npx radzor@latest add jwt-auth
⚠ Constraints: No external dependencies — uses Node.js built-in crypto module. Only supports HMAC algorithms (HS256/384/512), not RSA or ECDSA. Secret must be kept server-side. Use decode() only for non-security-critical reads — always verify() before trusting claims.
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
| secret* | string | — | HMAC secret key for signing and verifying tokens. Minimum 32 characters recommended.JWT_SECRET |
| algorithm | 'HS256' | 'HS384' | 'HS512' | HS256 | HMAC algorithm for JWT signatures. |
| issuer | string | — | Default 'iss' claim for issued tokens. |
| audience | string | — | Default 'aud' claim for issued tokens. |
| expiresIn | number | 3600 | Default token lifetime in seconds (default: 1 hour). |
secret*string