Skip to content

Migration from jsonwebtoken

This guide maps the jsonwebtoken package API to keylab equivalents.

Signing

jsonwebtoken

ts
import jwt from "jsonwebtoken"

const token = jwt.sign({ sub: "user-1" }, "secret", {
  algorithm: "HS256",
  expiresIn: "1h",
})

keylab

ts
import { signJwtWithPrivateKey, JwtAlgorithmsEnum as Algs } from "keylab"

const token = await signJwtWithPrivateKey(
  {
    sub: "user-1",
    exp: Math.floor(Date.now() / 1000) + 3600,
  },
  Algs.HS256,
  "secret",
)

Or use the higher-level createSignedJwt:

ts
import { createSignedJwt, JwtAlgorithmsEnum as Algs } from "keylab"

const token = await createSignedJwt(
  {},
  {
    algorithm: Algs.HS256,
    claims: { sub: "user-1", iss: "me", aud: ["app"], scp: "read" },
    signinOptions: { secret: "secret", sessionDuration: 60 },
  },
)

Verification

jsonwebtoken

ts
const decoded = jwt.verify(token, "secret")

keylab

ts
import { checkTokenValidness } from "keylab"

// Symmetric
const result = await checkTokenValidness(token, { secret: "secret" })

// Asymmetric with JWKS
const result = await checkTokenValidness(token, {
  jwksUri: "https://issuer/.well-known/jwks.json",
})

// Asymmetric with adhoc keys
const result = await checkTokenValidness(token, {
  adhoc: [publicKeyJwk],
})

Decoding (without verification)

jsonwebtoken

ts
const payload = jwt.decode(token)
const header = jwt.decode(token, { complete: true }).header

keylab

ts
import { parseJwt } from "keylab"
import { JwtParts } from "keylab"

const payload = parseJwt(token, JwtParts.PAYLOAD)
const header = parseJwt(token, JwtParts.HEADER)

Error handling

jsonwebtoken

ts
try {
  jwt.verify(token, "secret")
} catch (err) {
  if (err instanceof jwt.TokenExpiredError) { ... }
  if (err instanceof jwt.JsonWebTokenError) { ... }
}

keylab

ts
import { TokenExpiredError, InvalidSignatureError, JsonWebTokenError } from "keylab"

try {
  await checkTokenValidness(token, { secret: "secret" })
} catch (err) {
  if (err instanceof TokenExpiredError) {
    console.log(err.expiredAt) // Date object
  }
  if (err instanceof InvalidSignatureError) { ... }
  if (err instanceof JsonWebTokenError) { ... } // catch-all
}

Key differences

Featurejsonwebtokenkeylab
AsyncNo (sync API)Yes (all async)
AlgorithmsRS/HS/ES/PSRS/HS/ES/PS + EdDSA, ES256K, Ed448, X448, ECDH-ES, AES KW, PBES2
JWENot supportedencryptJwe / decryptJwe
JWKSRequires jwks-rsaBuilt-in with caching
Cross-runtimeNode.js onlyNode.js, Bun, Deno, Workers, browsers
MiddlewareRequires express-jwtBuilt-in createJwtMiddleware
Token expiry utilsNot includedisTokenExpired, getTimeToExpiry
Dependencies02 (jose, @noble/curves)