npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@bklarjs/jwt

v1.0.3

Published

A JWT-based authentication middleware designed for the Bklar web framework.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

bernabedevbernabedev

Keywords

bklarbunjwtauthauthenticationmiddleware

Readme

@bklarjs/jwt

NPM Version License: MIT Tests

Official JWT (JSON Web Token) authentication middleware for the bklar framework.

It allows you to protect routes, verify tokens, and handle user authentication with a clear, simple, and secure API.

✨ Features

  • 🔒 Secure by Default: Built on top of jose, a modern, secure, and Web Cryptography API-based library for JWTs.
  • 🧩 Simple Integration: Add authentication to any route with just a few lines of code.
  • 🔧 Flexible Configuration: Customize token retrieval, validation algorithms, and optional authentication (passthrough mode).
  • 🧰 Helper Functions Included: Comes with sign, verify, and decode helpers for a complete authentication solution out of the box.
  • 🛡️ Full TypeScript Support: Automatically augments the bklar Context to provide a strongly-typed ctx.state.jwt payload in your protected routes.

📦 Installation

This package is designed to work with bklar. You'll need both installed in your project.

bun add bklar @bklarjs/jwt

🚀 Usage

Using the middleware involves two main steps: creating tokens (e.g., during login) and verifying them to protect routes.

1. Protecting a Route

First, create an instance of the JWT middleware and apply it to a route you want to protect.

import { Bklar } from "bklar";
import { jwt } from "@bklarjs/jwt";

const app = Bklar();

// It's highly recommended to use an environment variable for your secret.
const JWT_SECRET = "a-very-strong-secret-key";

// Create an instance of the auth middleware with your secret
const authMiddleware = jwt({ secret: JWT_SECRET });

app.get(
  "/profile",
  (ctx) => {
    // If we reach this handler, the token is valid.
    // The decoded JWT payload is available at `ctx.state.jwt`.
    const userPayload = ctx.state.jwt;

    return ctx.json({
      message: "Welcome to your protected profile!",
      user: userPayload,
    });
  },
  {
    middlewares: [authMiddleware],
  }
);

app.listen(3000);

To access this route, a client must provide a valid JWT in the Authorization header: Authorization: Bearer <your-token>

2. Creating a Token (Login Flow)

To get a token, you typically create a /login endpoint. This package includes a sign helper to make this easy.

import { Bklar } from "bklar";
import { jwt, sign } from "@bklarjs/jwt";
import { z } from "zod";

const app = Bklar();
const JWT_SECRET = "a-very-strong-secret-key";

// Example user service (in a real app, this would query a database)
const UserService = {
  login: async (email: string, pass: string) => {
    if (email === "[email protected]" && pass === "password123") {
      return { id: "user_123", email, role: "user" };
    }
    return null;
  },
};

// Login endpoint to generate a token
app.post(
  "/login",
  async (ctx) => {
    const { email, password } = ctx.body;
    const user = await UserService.login(email, password);

    if (!user) {
      // The bklar error handler will catch this and respond with a 401.
      throw new UnauthorizedError("Invalid email or password");
    }

    // Sign a new token for the authenticated user
    const token = await sign(
      { sub: user.id, email: user.email, role: user.role },
      JWT_SECRET,
      "HS256",
      { expiresIn: "1h" } // Token is valid for 1 hour
    );

    return ctx.json({ token });
  },
  {
    schemas: {
      body: z.object({
        email: z.string().email(),
        password: z.string(),
      }),
    },
  }
);

app.listen(3000);

⚙️ Configuration Options

The jwt() factory accepts an options object:

  • secret: (Required) A string or Uint8Array used to sign and verify tokens.
  • algorithms: An optional array of allowed signing algorithms (e.g., ['HS256', 'HS512']). Defaults to ['HS256'].
  • passthrough: A boolean. If true, the middleware will not throw an error if the token is missing or invalid. ctx.state.jwt will simply be undefined. Useful for routes with optional authentication. Defaults to false.
  • getToken: A custom function (ctx: Context) => string | undefined to extract the token from the request. By default, it looks for a Bearer token in the Authorization header.

Example: Optional Authentication

const optionalAuth = jwt({ secret: JWT_SECRET, passthrough: true });

app.get(
  "/posts/:id",
  (ctx) => {
    if (ctx.state.jwt) {
      // User is logged in, show personalized content
      return ctx.json({
        content: "A post.",
        personalizedFor: ctx.state.jwt.sub,
      });
    }
    // User is a guest, show public content
    return ctx.json({ content: "A post." });
  },
  { middlewares: [optionalAuth] }
);

🧰 API Reference

This package exports the following:

  • jwt(options: JWTOptions): Middleware: The main factory function that creates the authentication middleware.
  • sign(payload, secret, alg, options): An async function to create and sign a new JWT.
  • verify(token, secret, algorithms): An async function to verify a token. It throws an error if invalid or returns the payload if valid.
  • decode(token): A synchronous function that decodes a token's payload without verifying its signature. Use with caution.

🤝 Contributing

Contributions are welcome! Please open an issue or submit a Pull Request to the main bklar repository.

📄 License

This project is licensed under the MIT License.