Skip to Content
@exortek/jwsdecode — UNSAFE inspection

jws.decode / jws.decodeProtectedHeader

Parse a compact JWS without verifying the signature. For inspection, kid extraction before choosing a resolver, or debugging a token pulled out of a log.

Never gate authorisation on decode. It returns whatever bytes were in the token. A well-formed but forged token decodes cleanly. Always run authorised paths through verify.

decode(token)

import { decode } from '@exortek/jws' const { header, payload, signature } = decode(token) // header: { alg: 'ES256', kid: 'k1', ... } // payload: whatever was signed — object, string, or Buffer // signature: raw bytes as a Buffer

Payload decoding follows the compact-verify heuristic:

  • If the header’s b64 is false (RFC 7797), the payload segment is returned as-is (string).
  • Otherwise the base64url segment is decoded and parsed as JSON.
  • If JSON parse fails, the raw bytes are returned as a Buffer.

decodeProtectedHeader(token)

Reads only the header — handy when the very next step is picking a resolver keyed by kid:

import { decodeProtectedHeader, verify } from '@exortek/jws' const { kid, alg } = decodeProtectedHeader(token) const key = await store.get(kid) await verify(token, key, { alg: [alg] })

Errors

CodeWhen
INVALID_TOKENMalformed compact serialisation.
INVALID_HEADERHeader segment doesn’t decode to a JSON object.
INVALID_PAYLOADPayload segment doesn’t decode to a JSON value AND cannot fall back to raw bytes (rare).
Last updated on