jot

hapi JSON Web Token (JWT) authentication plugin

jot

hapi JSON Web Token (JWT) authentication plugin

The 'jwt' scheme takes the following options:

  • secret - (required) {string} secret key used to compute the signature.
  • algorithms - (optional) {array} algorithm(s) allowed to verify tokens. Defaults to ['HS256']. Valid algorithms: ['HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'none']
  • audience - (optional) {string|integer} verify audience (aud) claim against this value
  • cookie - (optional) {string} cookie name. Defaults to sid. Works in tandem with hapi-auth-cookie. Must set JWT when the cookie is set. See examples below.
  • issuer - (optional) {string|integer} verify issuer (iss) claim against this value
  • token - (optional) {string} name of the token set in the cookie. Defaults to token.
  • validateFunc - (optional) {function} function to validate the decoded token on every request.

Note: Storing the JWT in a cookie is optional. You can always send the JWT in an Authorization header.

For examples of usage, check out the tests.