Easily validate JWT tokens in Node.js. This package builds on top of the jsonwebtoken and jwks-rsa packages and extends their functionality with several convenience features, including:
- validating tokens including downloading keys in one step,
- for multitenant apps, validating tokens against a list of allowed tenants,
- validating tokens against specific roles or scopes,
- validating token type (application or user),
- validating token version,
- caching keys for better performance,
- support for resetting cache and deleting specific keys without restarting the app,
- convenience method to get the JWKS URL for the specified Microsoft Entra tenant
npm install jwt-validateFollowing snippets show the basic setup for validating JWT tokens in apps that use the CommonJS and ESM module systems. The following sections show specific use cases on top of the basic setup.
const { TokenValidator, getEntraJwksUri } = require('jwt-validate');
// gets the JWKS URL for the Microsoft Entra common tenant
const entraJwksUri = await getEntraJwksUri();
// create a new token validator with the JWKS URL
const validator = new TokenValidator({
jwksUri: entraJwksUri
});
try {
// define validation options
const options = {
// ...
};
// validate the token
const validToken = await validator.validateToken(token, options);
// Token is valid
}
catch (ex) {
// Token is invalid
console.error(ex);
}import { TokenValidator, getEntraJwksUri } from 'jwt-validate';
// gets the JWKS URL for the Microsoft Entra common tenant
const entraJwksUri = await getEntraJwksUri();
// create a new token validator with the JWKS URL
const validator = new TokenValidator({
jwksUri: entraJwksUri
});
try {
// define validation options
const options = {
// ...
};
// validate the token
const validToken = await validator.validateToken(token, options);
// Token is valid
}
catch (ex) {
// Token is invalid
console.error(ex);
}Following are several examples of using the package to validate JWT tokens in different scenarios. For the basic setup see the previous section.
const options = {
// allowed audience
audience: 'cda00000-0000-0000-0000-a00000000001',
// allowed issuer
issuer: 'https://login.microsoftonline.com/cda00000-0000-0000-0000-700000000001/v2.0'
};
// validate the token
const validToken = await validator.validateToken(token, options);Validate that the token is an application token by checking the idtyp claim. Requires the idtyp claim to be present in the token.
const options = {
idtyp: 'app'
};
// validate the token
const validToken = await validator.validateToken(token, options);
// Token is validconst options = {
ver: '2.0'
};
// validate the token
const validToken = await validator.validateToken(token, options);const options = {
// list of allowed tenants
allowedTenants: ['cda00000-0000-0000-0000-700000000001'],
// allowed audience
audience: 'cda00000-0000-0000-0000-a00000000001',
// allowed issuer multitenant
issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0'
};
// validate the token
const validToken = await validator.validateToken(token, options);Validate that the token has one of the specified roles or scopes. This is a common requirements for APIs that support delegated and application permissions and allow usage with several scopes.
const options = {
scp: ['Customers.Read', 'Customers.ReadWrite'],
roles: ['Customers.Read.All', 'Customers.ReadWrite.All']
};
// validate the token
const validToken = await validator.validateToken(token, options);const { TokenValidator, getEntraJwksUri, CloudType } = require('jwt-validate');
// gets the JWKS URL for the Microsoft Entra common tenant in the US Government cloud
const entraJwksUri = await getEntraJwksUri('cda00000-0000-0000-0000-700000000002', CloudType.USGovernment);
// create a new token validator with the JWKS URL
const validator = new TokenValidator({
jwksUri: entraJwksUri
});Responsible for validating JWT tokens using JWKS (JSON Web Key Set).
-
constructor(options)-
Parameters
-
options: Object - Configuration options for the TokenValidator.-
cache: boolean (optional, default=true) - Whether to cache the JWKS keys. -
cacheMaxAge: number (optional, default=86400000) - The maximum age of the cache in milliseconds (default is 24 hours). -
jwksUri: string - The URI to fetch the JWKS keys from.
-
-
-
Throws
-
Error- If the options parameter is not provided.
-
-
Parameters
-
async validateToken(token, options)-
Description
- Validates a JWT token.
-
Parameters
-
token: string - The JWT token to validate. -
optionsObject (optional): Validation options. VerifyOptions from thejsonwebtokenlibrary with additional properties.-
allowedTenantsstring[] (optional): The allowed tenants for the JWT token. Compared against thetidclaim. -
idtypstring (optional): The idtyp claim to be validated against. -
rolesstring[] (optional): Roles expected in the 'roles' claim in the JWT token. -
scpstring[] (optional): Scopes expected in the 'scp' claim in the JWT token. -
ver: string (optional) - The version claim to be validated against.
-
-
-
Returns
-
Promise<JwtPayload | string>- The decoded and verified JWT token.
-
-
Throws
-
Error- If the token is invalid or the validation fails.
-
-
Description
-
clearCache()-
Description
- Clears the key cache used by the TokenValidator.
-
Parameters
- None
-
Returns
- None
-
Description
-
deleteKey(kid)-
Description
- Deletes a specific key from the cache.
-
Parameters
-
kidstring - The key ID to delete from the cache.
-
-
Returns
- None
-
Description
-
Description
- Gets the JWKS URL for the Microsoft Entra common tenant.
-
Parameters
-
tenantstring (optional, default=common) - The tenant to get the JWKS URL for. -
cloudstring (optional, default=CloudType.Public) - The cloud to get the JWKS URL for.
-
-
Returns
-
Promise<string>- The JWKS URI.
-
-
Description
- Enum for the cloud types.
-
Values
-
Public- Microsoft Azure public cloud. -
Ppe- Microsoft PPE. -
USGovernment- US Government cloud. -
China- Microsoft Chinese national/regional cloud.
-
This project is licensed under the MIT License.