Gathering detailed insights and metrics for get-jwks
Gathering detailed insights and metrics for get-jwks
Gathering detailed insights and metrics for get-jwks
Gathering detailed insights and metrics for get-jwks
npm install get-jwks
Typescript
Module System
Min. Node Version
Node Version
NPM Version
JavaScript (97.93%)
TypeScript (2.07%)
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
MIT License
30 Stars
222 Commits
18 Forks
89 Watchers
4 Branches
51 Contributors
Updated on Jun 30, 2025
Latest Version
11.0.1
Package Id
get-jwks@11.0.1
Unpacked Size
14.11 kB
Size
5.39 kB
File Count
8
NPM Version
10.8.2
Node Version
20.19.1
Published on
May 21, 2025
Cumulative downloads
Total Downloads
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
2
Fetch utils for JWKS keys
1npm install get-jwks
1const https = require('node:https')
2const buildGetJwks = require('get-jwks')
3
4const getJwks = buildGetJwks({
5 max: 100,
6 ttl: 60 * 1000,
7 timeout: 5000,
8 issuersWhitelist: ['https://example.com'],
9 checkIssuer: issuer => {
10 return issuer === 'https://example.com'
11 },
12 providerDiscovery: false,
13 fetchOptions: {
14 headers: {
15 'Content-Type': 'application/json'
16 }
17 },
18})
max
: Max items to hold in cache. Defaults to 100.ttl
: Milliseconds an item will remain in cache. Defaults to 60s.timeout
: Specifies how long it should wait to retrieve a JWK before it fails. The time is set in milliseconds. Defaults to 5s.issuersWhitelist
: Array of allowed issuers. By default all issuers are allowed.allowedDomains
: This has been deprecated and replaced with issuersWhitelist
.checkIssuer
: Optional user defined function to validate a token's domain.providerDiscovery
: Indicates if the Provider Configuration Information is used to automatically get the jwks_uri from the OpenID Provider Discovery Endpoint. This endpoint is exposing the Provider Metadata. With this flag set to true the domain will be treated as the OpenID Issuer which is the iss property in the token. Defaults to false. Ignored if jwksPath is specified.jwksPath
: Specify a relative path to the jwks_uri. Example /otherdir/jwks.json
. Takes precedence over providerDiscovery. Optional.fetchOptions
: The custom RequestInit used to instrument fetch
. Optional.
max
andttl
are provided to lru-cache.
1const buildGetJwks = require('get-jwks') 2 3const getJwks = buildGetJwks() 4 5const jwk = await getJwks.getJwk({ 6 domain: 'https://example.com/', 7 alg: 'token_alg', 8 kid: 'token_kid', 9})
Calling the asynchronous function getJwk
will fetch the JSON Web Key, and verify if any of the public keys matches the provided alg
(if any) and kid
values. It will cache the matching key so if called again it will not make another request to retrieve a JWKS. It will also use a cache to store stale values which is used in case of errors as a fallback mechanism.
domain
: A string containing the domain (e.g. https://www.example.com/
, with or without trailing slash) from which the library should fetch the JWKS. If providerDiscovery flag is set to false get-jwks
will add the JWKS location (.well-known/jwks.json
) to form the final url (ie: https://www.example.com/.well-known/jwks.json
) otherwise the domain will be treated as tthe openid issuer and the retrival will be done via the Provider Discovery Endpoint.alg
: The alg header parameter is an optional parameter that represents the cryptographic algorithm used to secure the token. You will find it in your decoded JWT.kid
: The kid is a hint that indicates which key was used to secure the JSON web signature of the token. You will find it in your decoded JWT.1const buildGetJwks = require('get-jwks') 2 3const getJwks = buildGetJwks() 4 5const publicKey = await getJwks.getPublicKey({ 6 domain: 'https://exampe.com/', 7 alg: 'token_alg', 8 kid: 'token_kid', 9})
Calling the asynchronous function getPublicKey
will run the getJwk
function to retrieve a matching key, then convert it to a PEM public key. It requires the same arguments as getJwk
.
This library can be easily used with other JWT libraries.
@fastify/jwt is a Json Web Token plugin for Fastify.
The following example includes a scenario where you'd like to verify a JWT against a valid JWK on any request to your Fastify server. Any request with a valid JWT auth token in the header will return a successful response, otherwise will respond with an authentication error.
1const Fastify = require('fastify') 2const fjwt = require('@fastify/jwt') 3const buildGetJwks = require('get-jwks') 4 5const fastify = Fastify() 6const getJwks = buildGetJwks() 7 8fastify.register(fjwt, { 9 decode: { complete: true }, 10 issuersWhitelist: ['https://example.com'], 11 checkIssuer: issuer => { 12 return issuer === 'https://example.com' 13 }, 14 secret: (request, token, callback) => { 15 const { 16 header: { kid, alg }, 17 payload: { iss }, 18 } = token 19 getJwks 20 .getPublicKey({ kid, domain: iss, alg }) 21 .then(publicKey => callback(null, publicKey), callback) 22 }, 23}) 24 25fastify.addHook('onRequest', async (request, reply) => { 26 await request.jwtVerify() 27}) 28 29fastify.listen(3000)
fast-jwt is a fast JSON Web Token implementation.
The following example shows how to use JWKS in fast-jwt via get-jwks.
1const { createVerifier } = require('fast-jwt') 2const buildGetJwks = require('get-jwks') 3 4// well known url of the token issuer 5// often encoded as the `iss` property of the token payload 6const domain = 'https://...' 7 8const getJwks = buildGetJwks({ issuersWhitelist: [...]}) 9 10// create a verifier function with key as a function 11const verifyWithPromise = createVerifier({ 12 key: async function ({ header }) { 13 const publicKey = await getJwks.getPublicKey({ 14 kid: header.kid, 15 alg: header.alg, 16 domain, 17 }) 18 return publicKey 19 }, 20}) 21 22const payload = await verifyWithPromise(token)
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
Reason
9 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8
Reason
Found 6/13 approved changesets -- score normalized to 4
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
security policy file not detected
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Score
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More