npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@chrislyons-dev/flarelette-jwt

v1.13.0

Published

Environment-driven JWT authentication for Cloudflare Workers with secret-name indirection

Downloads

23

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cjlyonscjlyons

Keywords

jwtauthenticationcloudflareworkersedgehs512eddsaed25519jwksflarelette

Readme

Flarelette JWT Kit

npm version PyPI version npm downloads PyPI downloads CI Status License Documentation

Environment-driven JWT authentication for Cloudflare Workers. Like Starlette, but for the edge.

Cross-language JWT toolkit (TypeScript + Python) with identical APIs. Automatically selects HS512 or EdDSA based on environment configuration, loads secrets via Cloudflare bindings, and works across Workers, Node.js, and Python runtimes.

Part of the Flarelette Ecosystem

Flarelette JWT Kit provides the core cryptographic operations for the Flarelette authentication stack. It's framework-neutral by design — use it directly for low-level JWT operations or through higher-level adapters like flarelette-hono for route guards and middleware integration.

Stack layers:

  • Your services → Use JWT auth in APIs and UIs
  • flarelette / flarelette-hono → Framework middleware and route guards
  • flarelette-jwt-kit (this package) → Core JWT signing, verification, and key management
  • Platform secrets → Cloudflare bindings, environment variables

Quick Start

Installation

TypeScript/JavaScript:

npm install @chrislyons-dev/flarelette-jwt

Python (Cloudflare Workers only):

pip install flarelette-jwt

Note: The Python package requires Cloudflare Workers Python runtime (Pyodide). For standard Python environments, use the TypeScript package via Node.js.

Two APIs: Choose Your Style

Option 1: Environment-Based (Production-Ready)

Perfect for production with Cloudflare bindings. Zero configuration code:

TypeScript:

import { sign, verify } from '@chrislyons-dev/flarelette-jwt'

// Reads JWT_SECRET_NAME, JWT_ISS, JWT_AUD from environment
const token = await sign({ sub: 'user123', permissions: ['read:data'] })
const payload = await verify(token)

Option 2: Explicit Configuration (Development-Friendly) 🆕

Perfect for development and testing. No environment setup required:

TypeScript:

import {
  signWithConfig,
  verifyWithConfig,
  createHS512Config,
} from '@chrislyons-dev/flarelette-jwt'

// Pass configuration directly
const config = createHS512Config('your-secret', {
  iss: 'https://gateway.example.com',
  aud: 'api.example.com',
})

const token = await signWithConfig({ sub: 'user123' }, config)
const payload = await verifyWithConfig(token, config)

New in v1.9.0: The explicit configuration API eliminates environment setup complexity. See Explicit Configuration Guide.

Basic Example (Environment-Based)

TypeScript:

import { sign, verify } from '@chrislyons-dev/flarelette-jwt'

// Sign a token (algorithm chosen from environment)
const token = await sign({ sub: 'user123', permissions: ['read:data'] })

// Verify a token
const payload = await verify(token)
if (payload) {
  console.log('Valid token:', payload.sub)
}

Python:

from flarelette_jwt import sign, verify

# Sign a token (algorithm chosen from environment)
token = await sign({"sub": "user123", "permissions": ["read:data"]})

# Verify a token
payload = await verify(token)
if payload:
    print(f"Valid token: {payload.get('sub')}")

Key Features

  • Algorithm auto-detection — Chooses HS512, EdDSA, or RSA based on environment variables
  • HTTP JWKS for OIDC — Verify tokens from Auth0, Okta, Google, Azure AD, and Cloudflare Access (TypeScript)
  • Secret-name indirection — References Cloudflare secret bindings instead of raw values
  • Identical TypeScript + Python APIs — Same function names and behavior across languages
  • Service bindings for JWKS — Direct Worker-to-Worker RPC for key distribution
  • Zero-trust delegation — RFC 8693 actor claims for service-to-service authentication
  • Policy-based authorization — Fluent API for composing permission and role requirements
  • Explicit configuration API — Test without environment variables using config objects

Security

Flarelette JWT Kit is designed to prevent common JWT vulnerabilities:

  • No algorithm confusion — Mode determined by server configuration only, never from token headers. Strict algorithm whitelists per mode.
  • No RS↔HS attacks — Symmetric and asymmetric keys never shared. Configuration error thrown if both HS512 and EdDSA/RSA secrets configured.
  • No JWKS injection — JWKS URLs pinned in configuration, jku/x5u headers ignored.
  • Strong secrets enforced — 64-byte minimum for HS512 (512 bits), matching SHA-512 digest size.
  • Algorithm pinning at import — Keys imported with explicit algorithm specification, preventing repurposing.

Mode selection is driven exclusively by server environment variables:

  • HS512 mode: algorithms: ['HS512'] only
  • EdDSA/RSA mode: algorithms: ['EdDSA', 'RS256', 'RS384', 'RS512'] only

The alg header is treated as untrusted input and must match the allowed algorithms for the selected mode. Mismatches are rejected.

For complete security documentation, see docs/security-guide.md.

Configuration

Configuration is entirely environment-driven. No config files required.

Common environment variables:

JWT_ISS=https://gateway.example.com    # Token issuer
JWT_AUD=api.example.com                 # Token audience
JWT_TTL_SECONDS=900                     # Token lifetime (default: 15 min)
JWT_LEEWAY=90                           # Clock skew tolerance (default: 90 sec)

HS512 mode (symmetric, shared secret):

JWT_SECRET_NAME=MY_JWT_SECRET           # Reference to secret binding

EdDSA mode (asymmetric, Ed25519):

# Producer (signs tokens):
JWT_PRIVATE_JWK_NAME=GATEWAY_PRIVATE_KEY
JWT_KID=ed25519-2025-01

# Consumer (verifies tokens):
JWT_PUBLIC_JWK_NAME=GATEWAY_PUBLIC_KEY
# OR for key rotation:
JWT_JWKS_SERVICE_NAME=GATEWAY_BINDING

HTTP JWKS mode (external OIDC providers - TypeScript only):

Verify tokens from Auth0, Okta, Google, Azure AD, and other OIDC providers:

# Environment-based configuration:
JWT_ISS=https://tenant.auth0.com/
JWT_AUD=your-client-id
JWT_JWKS_URL=https://tenant.auth0.com/.well-known/jwks.json
JWT_JWKS_CACHE_TTL_SECONDS=300  # Optional: cache duration (default: 5 minutes)

Explicit configuration (no environment setup):

import {
  verifyWithConfig,
  createJWKSUrlVerifyConfig,
} from '@chrislyons-dev/flarelette-jwt'

const config = createJWKSUrlVerifyConfig(
  'https://tenant.auth0.com/.well-known/jwks.json',
  {
    iss: 'https://tenant.auth0.com/',
    aud: 'your-client-id',
  },
  300 // cacheTtl in seconds
)

const payload = await verifyWithConfig(token, config)

Supported OIDC providers:

  • Auth0: https://tenant.auth0.com/.well-known/jwks.json
  • Okta: https://domain.okta.com/oauth2/default/v1/keys
  • Google: https://www.googleapis.com/oauth2/v3/certs
  • Azure AD: https://login.microsoftonline.com/tenant-id/discovery/v2.0/keys
  • Cloudflare Access: https://team.cloudflareaccess.com/cdn-cgi/access/certs

Note: HTTP JWKS is TypeScript-only. Python support pending Cloudflare runtime improvements.

Verification Key Resolution Priority

When verifying tokens, the library uses the first available key source in this order:

  1. HS512 shared secretJWT_SECRET or JWT_SECRET_NAME
  2. Inline public JWKJWT_PUBLIC_JWK or JWT_PUBLIC_JWK_NAME
  3. Service binding JWKSJWT_JWKS_SERVICE or JWT_JWKS_SERVICE_NAME (TypeScript only)
  4. HTTP JWKS URLJWT_JWKS_URL (TypeScript only)

Security note: The library prevents mode confusion by rejecting configurations that mix symmetric (HS512) and asymmetric (EdDSA/RSA) secrets.

Documentation

CLI Tools

Generate HS512 secrets:

npx flarelette-jwt-secret --len=64 --dotenv

Generate EdDSA keypairs:

npx flarelette-jwt-keygen --kid=ed25519-2025-01

Contributing

See CONTRIBUTING.md for development setup, coding standards, and release procedures.

License

MIT — see LICENSE for details.

Security

For security concerns or vulnerability reports, see docs/security-guide.md or open a security issue.