Important: This documentation covers Yarn 1 (Classic).

For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

idtoken-verifier

auth0659.1kMIT2.2.4

A lightweight library to decode and verify RS JWT meant for the browser.

auth0, auth, authentication, jwt, verification, RS256, browser

readme

A lightweight library to decode and verify RSA ID tokens meant for the browser.

:books: Documentation - :rocket: Getting Started - :computer: API Reference - :speech_balloon: Feedback

Documentation

API Reference
Docs Site - explore our Docs site and learn more about Auth0

Getting Started

Installation

Using npm in your project directory run the following command:

npm install idtoken-verifier

Verify an ID token

Import the library, create an instance of IdTokenVerifier and call the verify method to verify an ID token:

import IdTokenVerifier from 'idtoken-verifier';

const verifier = new IdTokenVerifier({
  issuer: 'https://my.auth0.com/',
  audience: 'gYSNlU4YC4V1YPdqq8zPQcup6rJw1Mbt'
});

verifier.verify(id_token, nonce, (error, payload) => {
  if (error) {
    // handle the error
    return;
  }

  // do something with `payload`
});

API Reference

Feedback

Contributing

We appreciate feedback and contribution to this repo! Before you get started, please see the following:

Raise an issue

To provide feedback or report a bug, please raise an issue on our issue tracker.

Vulnerability Reporting

Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

What is Auth0?

<picture> <source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150"> <source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150"> Auth0 Logo </picture>

Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?

This project is licensed under the Apache 2.0 license. See the LICENSE file for more info.

changelog

Change Log

v2.2.4 (2023-10-26)

Security

Bump crypto-js from 4.1.1 to 4.2.0 #176 (dependabot[bot])

v2.2.3 (2023-02-06)

Changed

[SDK-3693] Readme Redesign #159 (stevehobbsdev)

Security

Bump jsonwebtoken from 8.5.1 to 9.0.0 #165 (dependabot[bot])

v2.2.2 (2021-10-15)

Fixed

Fix types for overloaded verify method #145 (stevehobbsdev)

v2.2.1 (2021-08-24)

Security

Depdency updates #138 (stevehobbsdev)

v2.2.0 (2021-06-18)

Added

Added TypeScript typings #122 (ItalyPaleAle)

v2.1.2 (2021-05-26)

Security

Pin crypto-js to 3.3.0 #131 (stevehobbsdev)

v2.1.1 (2021-05-25)

Fixed

Fixed: exception when key not found in JWKS #121 (ItalyPaleAle)
Remove inconsistencies in verify method's callback invocations #120 (ItalyPaleAle)

Security

Fix vulnerability with crypto-js 3.3.0 and run audit fix #128 (frederikprijck)
[Security] Bump y18n from 4.0.0 to 4.0.1 #119 (dependabot-preview[bot])

v2.1.0 (2020-09-11)

Changed

Asynchronous JWKS cache #107 (ItalyPaleAle)
Migrate to NPM package lock over Yarn, and update dependencies #114 (stevehobbsdev)

Security

Bump bl from 3.0.0 to 3.0.1 #111 (dependabot[bot])
Bump codecov from 3.6.5 to 3.7.1 #109 (dependabot-preview[bot])
Bump lodash from 4.17.15 to 4.17.19 #108 (dependabot[bot])
Bump handlebars from 4.5.3 to 4.7.6 #106 (dependabot-preview[bot])

v2.0.3 (2020-04-23)

Fixed

Fixed bug with keys not first in keybag #101 (ItalyPaleAle)

v2.0.2 (2020-02-20)

Security

[Snyk] Security upgrade crypto-js from 3.1.9-1 to 3.2.1 #98 (crew-security)

v2.0.1 (2020-01-10)

Removed

[SDK-1266] Removed iat future value check #95 (stevehobbsdev)

v2.0.0 (2019-12-06)

This new major version introduces more validation checks on ID tokens for OIDC conformance and as such could introduce a breaking change if you are already validating tokens that are not OIDC conformant.

In addition, methods that were marked as deprecated in v1.5.0 have now been removed. From here, always use the verify method to validate ID tokens.

Changed

Added build step into the versioning process (to be done before release) #93 (stevehobbsdev)
Updated dependencies #92 (stevehobbsdev)

Removed

Removed deprecated methods + tests #90 (stevehobbsdev)

Security

[SDK-974] Improved OIDC compliance #89 (stevehobbsdev)
Bump tough-cookie from 2.3.2 to 2.3.4 #88 (dependabot[bot])
Bump stringstream from 0.0.5 to 0.0.6 #87 (dependabot[bot])
Bump extend from 3.0.1 to 3.0.2 #86 (dependabot[bot])
Bump sshpk from 1.13.0 to 1.16.1 #85 (dependabot[bot])
Bump lodash.merge from 4.6.1 to 4.6.2 #84 (dependabot[bot])

v1.5.1 (2019-12-06)

Re-release to correct build directory error

v1.5.0 (2019-12-05)

Added

[SDK-1166] Replaced promise-polyfill with es6-promise, applied globally #78 (stevehobbsdev)

v1.4.1 (2019-07-09)

Fixed

Use unfetch without requiring window at load time #42 (luisrudge)

v1.4.0 (2019-06-18)

Fixed

Validate claims after verifying the signature of the token #39 (luisrudge)

v1.3.0 (2019-06-05)

Changed

Increase leeway limit to 300s #31 (luisrudge)
Replace superagent with unfetch #27 (luisrudge)

v1.2.0 (2018-03-21)

Added

Add option to set the endpoint to fetch the jwks.json file #19 (luisrudge)
Adding access_token validation method validateAccessToken #17 (luisrudge)

v1.1.2 (2018-03-01)

Fixed

Fixing issue with IdTokenVerifier.getRsaVerifier #14 (dfung)
Use base64-js methods instead of browser globals atob and btoa #15 (maxbeatty)

v1.1.1 (2018-01-15)

Changed

Upgrade superagent version #10 (luisrudge)

v1.1.0 (2017-06-15)

Changed

Replace iat check with nbf check. #7 (nicosabena)

v1.0.2 (2017-05-08)

Fixed

FIX decode base64 string with special characters. #6 (dctoon)

v1.0.1 (2017-05-08)

Fixed

Handle JSON.parse errors during decode #3 (rolodato)

v1.0.0 (2016-12-30)

A lightweight library to decode and verify RS JWT meant for the browser.

Usage

var IdTokenVerifier = require('idtoken-verifier');

var verifier = new IdTokenVerifier({
        issuer: 'https://my.auth0.com/',
        audience: 'gYSNlU4YC4V1YPdqq8zPQcup6rJw1Mbt'
    });

verifier.verify(id_token, nonce, function(error, payload) {
    ...
});

var decoded = verifier.decode(id_token);