Clone or download
VitaliiLakusta and luisrudge Add hint in README to use Map object for JWKS cache (#24)
As a first-time user of the library, and the one who is not very fluent in javascript, I was about to write my own implementation for essentially javascript's new Map() object, which can be easily plugged in into jwksCache paramater. 

I think this small description can save some not-fluent-in-js devs a couple or dozen of minutes when trying to make jwks cache work in this library. This PR is more like a feedback from me, decided to share. 

P. S. Another piece of feedback is that I use this library in Lambda@Edge in front of AWS Cloudfront, since the lambda there should be really really small (1MB zipped including node_modules). Thus I couldn't afford to use classic `jsonwebtoken` lib etc.
Latest commit 96d17d3 Jul 6, 2018
Failed to load latest commit information.
docs v1.2.0 (#20) Mar 21, 2018
test Adding access_token validation method `validateAccessToken` (#17) Mar 21, 2018
.gitignore Avoid breaking change by re-adding verifyIatAndNbf Jun 15, 2017
.jsdoc.json Avoid breaking change by re-adding verifyIatAndNbf Jun 15, 2017
Jenkinsfile Create Jenkinsfile Jun 16, 2017
LICENSE Add hint in README to use Map object for JWKS cache (#24) Jul 6, 2018
circle.yml Clean scripts and ci May 18, 2017
codecov.yml Rename codecov.yml Jun 15, 2017
gulpfile.js initial commit Dec 29, 2016
package.json v1.2.0 (#20) Mar 21, 2018
yarn.lock Adding access_token validation method `validateAccessToken` (#17) Mar 21, 2018


Build Status NPM version Coverage License Downloads

A lightweight library to decode and verify RS JWT meant for the browser.


var IdTokenVerifier = require('idtoken-verifier');

var verifier = new IdTokenVerifier({
    issuer: '',
    audience: 'gYSNlU4YC4V1YPdqq8zPQcup6rJw1Mbt'

verifier.verify(id_token, nonce, function(error, payload) {

var decoded = verifier.decode(id_token);


Initializes the verifier.


  • configuration
    • issuer: the issuer you trust to sign the tokens.
    • audience: the audience the token is issued for.
    • leeway: when there is a clock skew times between the signing and verifying servers. The leeway should not be biger than a minute.
    • jwksCache: the verifier will try to fetch the JWKS from the /.well-known/jwks.json endpoint (or jwksURI if provided) each time it verifies a token. You can provide a cache to store the keys and avoid repeated requests. For the contract, check this example. Hint: for in-memory cache, an easy way is to just provide new Map(), which is a valid object for jwksCache.
    • jwksURI: A valid, direct URI to fetch the JSON Web Key Set (JWKS). Defaults to ${id_token.iss}/.well-known/jwks.json
  • callback
    • error: the validation error if any, null otherwise
    • payload: the decoded jwt payload


This method will decode the token, verify the issuer, audience, expiration, algorithm and nonce claims and after that will verify the token signature.


  • id_token: the id_token to verify.
  • nonce: the nonce previously sent to tha authorization server.
  • callback


This method will decode the token header and payload WITHOUT doing any verification.


  • id_token: the id_token to decode.


  • header: the decoded header.
  • payload: the decoded payload.
  • encoded: the parts without decode
    • header: the header string.
    • payload: the payload string.
    • signature: the signature string.


To make it as lightweight as posible, it only provides support for RS256 tokens. It can be easily extensible to other RS* algorithms.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.




This project is licensed under the MIT license. See the LICENSE file for more info.