@sentrie/jwt
The @sentrie/jwt module provides JSON Web Token decoding and verification utilities. Note: This module only decodes and verifies tokens; it does NOT create/generate tokens.
use { decode, verify, getPayload, getHeader } from @sentrie/jwtFunctions
Section titled “Functions”decode(token: string, secret?: string): Record<string, any>
Section titled “decode(token: string, secret?: string): Record<string, any>”Decodes a JWT token and optionally verifies its signature.
Parameters:
token- The JWT token string to decodesecret- Optional secret key for signature verification. If provided, verifies the token signature.
Returns: The decoded payload as an object
Throws: Error if the token format is invalid, signature verification fails, or the algorithm is unsupported
Supported algorithms: HS256, HS384, HS512
Example:
use { decode } from @sentrie/jwtlet token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."let payload = jwt.decode(token, "secret-key")verify(token: string, secret: string, algorithm?: string): boolean
Section titled “verify(token: string, secret: string, algorithm?: string): boolean”Verifies a JWT token’s signature.
Parameters:
token- The JWT token string to verifysecret- The secret key used for signature verificationalgorithm- Optional algorithm name (default:"HS256"). Supported: HS256, HS384, HS512
Returns: true if the signature is valid, false otherwise
Example:
use { verify } from @sentrie/jwtlet token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."let isValid = jwt.verify(token, "secret-key", "HS256")getPayload(token: string): Record<string, any>
Section titled “getPayload(token: string): Record<string, any>”Extracts the payload from a JWT token without verification.
Warning: This does NOT verify the signature - use decode() with a secret for verification.
Parameters:
token- The JWT token string
Returns: The decoded payload as an object
Throws: Error if the token format is invalid
Example:
use { getPayload } from @sentrie/jwtlet token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."let payload = jwt.getPayload(token) // No verification - use with caution!getHeader(token: string): Record<string, any>
Section titled “getHeader(token: string): Record<string, any>”Extracts the header from a JWT token without verification.
Parameters:
token- The JWT token string
Returns: The decoded header as an object
Throws: Error if the token format is invalid
Example:
use { getHeader } from @sentrie/jwtlet token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."let header = jwt.getHeader(token)Complete Example
Section titled “Complete Example”namespace com/example/auth
policy mypolicy { use { decode, verify } from @sentrie/jwt fact token!: string fact secretKey!: string
rule verifyToken = default false { let isValid = jwt.verify(token, secretKey) yield isValid }
rule decodeToken = default false { let payload = jwt.decode(token, secretKey) let userId = payload["userId"] let exp = payload["exp"] yield userId != null and exp > time.now() }
export decision of verifyToken export decision of decodeToken}Security Best Practices
Section titled “Security Best Practices”- Always verify signatures - Use
verify()ordecode()with a secret key before trusting token data - Check expiration - Verify the
expclaim in the payload - Validate claims - Check required claims (e.g.,
iss,aud,sub) before using the token - Never use
getPayload()alone - Always verify signatures usingverify()ordecode()with a secret
Supported Algorithms
Section titled “Supported Algorithms”- HS256 - HMAC with SHA-256 (default)
- HS384 - HMAC with SHA-384
- HS512 - HMAC with SHA-512
Token Structure
Section titled “Token Structure”A JWT token consists of three parts separated by dots (.):
header.payload.signature- Header - Contains metadata about the token (algorithm, type)
- Payload - Contains the claims (data)
- Signature - Used to verify the token hasn’t been tampered with