JWT

Overview

This node provides functionality to work with JSON Web Tokens (JWT). It supports three main operations: signing a payload to create a JWT, verifying the authenticity and validity of a JWT, and decoding a JWT without verification. This is useful in scenarios where secure token-based authentication or data exchange is required, such as API authentication, session management, or securely transmitting claims between parties.

For example:

• Sign: Create a JWT with custom claims and a selected cryptographic algorithm.
• Verify: Check if a received JWT is valid, correctly signed, and optionally check expiration and "not before" constraints.
• Decode: Extract the payload from a JWT without validating its signature, useful for debugging or inspecting tokens.

Properties

Name	Meaning
Algorithm	The cryptographic algorithm used for signing or verifying the token. Options include ES256, HS256, RS512, etc.
Token	The JWT string to verify or decode.
Return Complete Token	If true, returns the entire token object including header and signature, not just the payload.
Ignore Expiration	When verifying, if true, skips validation of the token's expiration time (exp claim).
Ignore Not Before	When verifying, if true, skips validation of the token's "not before" time (nbf claim).
Clock Tolerance	Number of seconds to allow as tolerance when checking nbf and exp claims to account for clock skew.

Output

The output JSON structure depends on the operation:

• Sign: Outputs an object with a single field token containing the signed JWT string.

  {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
  

• Verify: Outputs the decoded token payload if verification succeeds. If "Return Complete Token" is enabled, outputs the full token object including header and signature. The output includes all claims present in the token.

• Decode: Outputs the decoded token payload or the complete token object if requested, without verifying the signature.

No binary data output is produced by this node.

Dependencies

• Requires an API key credential that provides either a secret passphrase or a private/public key pair for signing and verifying tokens.
• Uses the jsonwebtoken library internally for JWT operations.
• May require proper formatting of keys depending on their type (handled internally).
• No additional external services are called; all operations are local.

Troubleshooting

• Invalid Signature Error: Occurs if the token signature does not match the expected signature using the provided key and algorithm. Ensure the correct key and algorithm are used.
• Token Expired Error: Happens if the token's expiration time has passed and "Ignore Expiration" is not enabled. To fix, either refresh the token or enable ignoring expiration if appropriate.
• Not Before Error: Raised if the current time is before the token's "not before" claim and "Ignore Not Before" is false. Adjust system clocks or enable ignoring this check if needed.
• Malformed Token: If the token string is invalid or corrupted, decoding or verification will fail. Verify the token format.
• Credential Issues: If the key or passphrase is missing or incorrectly formatted, signing or verification will fail. Confirm credentials are properly configured.

Links and References

• JWT Introduction
• jsonwebtoken npm package
• RFC 7519 - JSON Web Token (JWT)