npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

jwt-shield

v1.0.2

Published

Enhanced JWT implementation with payload encryption

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

amila-t-kumarasekaraamila-t-kumarasekara

Keywords

jwtencryptionsecurityauthentication

Readme

JWT Shield

A secure implementation of JSON Web Tokens (JWT) with encryption and signing capabilities. This package provides an extra layer of security by encrypting the JWT payload before signing, making it impossible to read the token contents without the proper encryption key.

Features

  • 🔒 Double Security: Combines encryption (AES) with JWT signing
  • 🛡️ GCM Support: Uses AES-GCM by default for authenticated encryption
  • 🔑 Key Derivation: Implements PBKDF2 for secure key derivation
  • 🎯 Type Safety: Written in TypeScript with full type definitions
  • Performance: Optimized for minimal overhead
  • 🔍 Validation: Built-in payload and key validation
  • 🆔 Key ID Support: Includes key identification for key rotation

Installation

npm install jwt-shield
# or
yarn add jwt-shield

Quick Start

import { SecureJWT } from 'jwt-shield';

// Initialize the service
const jwt = new SecureJWT({
  encryptionKey: process.env.JWT_ENCRYPTION_KEY,
  signingKey: process.env.JWT_SIGNING_KEY,
  algorithm: 'HS256',                // JWT signing algorithm
  encryptionAlgorithm: 'aes-256-gcm' // Encryption algorithm
});

// Sign a token
const token = jwt.sign({
  sub: 'user123',
  iss: 'https://your-domain.com',
  aud: 'https://your-domain.com',
  // ... other claims
});

// Verify a token
const payload = jwt.verify(token, {
  issuer: 'https://your-domain.com',
  audience: 'https://your-domain.com'
});

Security Features

1. Payload Encryption

  • The payload is encrypted using AES before JWT signing
  • Supports AES-256-GCM and AES-256-CBC algorithms
  • GCM mode provides authenticated encryption

2. Key Derivation

  • Uses PBKDF2 with SHA-512 for key derivation
  • Configurable iteration count (default: 100,000)
  • Unique salt generation per key

3. Entropy Validation

  • Validates encryption key entropy
  • Prevents usage of weak keys
  • Enforces minimum key length requirements

Configuration Options

interface SecureJWTOptions {
  encryptionKey: string | Buffer;    // Required: Key for payload encryption
  signingKey: string;               // Required: Key for JWT signing
  algorithm?: Algorithm;            // Optional: JWT signing algorithm (default: 'HS256')
  encryptionAlgorithm?: 'aes-256-gcm' | 'aes-256-cbc' | 'aes-192-gcm' | 'aes-192-cbc';
  iterations?: number;              // Optional: PBKDF2 iterations (default: 100000)
  expiresIn?: string | number;     // Optional: Token expiration (default: '1h')
}

Key Generation

Generate secure keys for both encryption and signing:

# Generate encryption key (32 bytes, base64 encoded)
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

# Generate signing key (32 bytes, base64 encoded)
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

Store these keys securely in your environment variables:

JWT_ENCRYPTION_KEY=your_base64_encoded_32_byte_encryption_key
JWT_SIGNING_KEY=your_base64_encoded_signing_key

Express.js Example

import { SecureJWT } from 'jwt-shield';
import express from 'express';

const app = express();
const jwt = new SecureJWT({
  encryptionKey: process.env.JWT_ENCRYPTION_KEY,
  signingKey: process.env.JWT_SIGNING_KEY
});

app.post('/login', (req, res) => {
  const token = jwt.sign({
    sub: req.user.id,
    iss: 'https://api.example.com',
    aud: 'https://api.example.com'
  });
  res.json({ token });
});

app.post('/verify', (req, res) => {
  try {
    const payload = jwt.verify(req.body.token, {
      issuer: 'https://api.example.com',
      audience: 'https://api.example.com'
    });
    res.json({ valid: true, payload });
  } catch (error) {
    res.status(401).json({ valid: false });
  }
});

Error Handling

The package throws SecureJWTError with specific error codes:

enum SecureJWTErrorCode {
  INVALID_KEY = 'INVALID_KEY',
  INVALID_ALGORITHM = 'INVALID_ALGORITHM',
  ENCRYPTION_FAILED = 'ENCRYPTION_FAILED',
  DECRYPTION_FAILED = 'DECRYPTION_FAILED',
  MISSING_AUTH_TAG = 'MISSING_AUTH_TAG',
  INVALID_PAYLOAD = 'INVALID_PAYLOAD',
  TOKEN_VERIFICATION_FAILED = 'TOKEN_VERIFICATION_FAILED',
  INVALID_TOKEN = 'INVALID_TOKEN'
}

Best Practices

  1. Key Management:

    • Use different keys for development and production
    • Rotate keys periodically
    • Store keys securely (e.g., using a key management service)

  2. Token Claims:

    • Always include iss (issuer) and aud (audience) claims
    • Set appropriate expiration times
    • Never include sensitive data like passwords

  3. Security:

    • Use HTTPS for token transmission
    • Implement token revocation if needed
    • Consider using refresh tokens for long-lived sessions

License

MIT

Contributing

Contributions are welcome! Please read our contributing guidelines before submitting pull requests.