Gathering detailed insights and metrics for jwt-decode
Gathering detailed insights and metrics for jwt-decode
Decode JWT tokens; useful for browser applications.
Installations
npm install jwt-decodeScore
99.5
Supply Chain
100
Quality
83.4
Maintenance
100
Vulnerability
100
License
Releases
6
Contributors
60
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4){kind=avatar}
Developer
auth0
Developer Guide
BETA
Module System
ESM
Min. Node Version
>=18
Typescript Support
Yes
Node Version
18.18.2
NPM Version
9.8.1
Statistics
3,219 Stars
319 Commits
340 Forks
137 Watching
8 Branches
60 Contributors
Updated on 28 Nov 2024
Bundle Size
1.15 kB
Minified
606.00 B
Minified + Gzipped
Languages
TypeScript (83.19%)
HTML (16.81%)
Total Downloads
Cumulative downloads
Total Downloads
1,027,641,849
Last day
-5.3%
1,368,572
Compared to previous day
Last week
2.7%
7,563,526
Compared to previous week
Last month
5.8%
31,846,627
Compared to previous month
Last year
27.5%
334,334,337
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
IMPORTANT: This library doesn't validate the token, any well-formed JWT can be decoded. You should validate the token in your server-side logic by using something like express-jwt, koa-jwt, Microsoft.AspNetCore.Authentication.JwtBearer, etc.
:books: Documentation - :rocket: Getting Started - :speech_balloon: Feedback
Documentation
- Docs site - explore our docs site and learn more about Auth0.
Getting started
Installation
Install with NPM or Yarn.
Run npm install jwt-decode or yarn add jwt-decode to install the library.
Usage
1import { jwtDecode } from "jwt-decode"; 2 3const token = "eyJ0eXAiO.../// jwt token"; 4const decoded = jwtDecode(token); 5 6console.log(decoded); 7 8/* prints: 9 * { 10 * foo: "bar", 11 * exp: 1393286893, 12 * iat: 1393268893 13 * } 14 */ 15 16// decode header by passing in options (useful for when you need `kid` to verify a JWT): 17const decodedHeader = jwtDecode(token, { header: true }); 18console.log(decodedHeader); 19 20/* prints: 21 * { 22 * typ: "JWT", 23 * alg: "HS256" 24 * } 25 */
Note: A falsy or malformed token will throw an InvalidTokenError error; see below for more information on specific errors.
Polyfilling atob
This library relies on atob(), which is a global function available on all modern browsers as well as every supported node environment.
In order to use jwt-decode in an environment that has no access to atob() (e.g. React Native), ensure to provide the corresponding polyfill in your application by using core-js/stable/atob:
1import "core-js/stable/atob";
Alternatively, you can also use base-64 and polyfill global.atob yourself:
1import { decode } from "base-64"; 2global.atob = decode;
Errors
This library works with valid JSON web tokens. The basic format of these token is
[part1].[part2].[part3]
All parts are supposed to be valid base64 (url) encoded json.
Depending on the { header: <option> } option it will decode part 1 (only if header: true is specified) or part 2 (default)
Not adhering to the format will result in a InvalidTokenError with one of the following messages:
Invalid token specified: must be a string=> the token passed was not a string, this library only works on strings.Invalid token specified: missing part #=> this probably means you are missing a dot (.) in the tokenInvalid token specified: invalid base64 for part #=> the part could not be base64 decoded (the message should contain the error the base64 decoder gave)Invalid token specified: invalid json for part #=> the part was correctly base64 decoded, however, the decoded value was not valid JSON (the message should contain the error the JSON parser gave)
Use with TypeScript
The return type of the jwtDecode function is determined by the header property of the object passed as the second argument. If omitted (or set to false), it'll use JwtPayload, when true it will use JwtHeader.
If needed, you can specify what the expected return type should be by passing a type argument to the jwtDecode function.
You can extend both JwtHeader and JwtPayload to include non-standard claims or properties.
1import { jwtDecode } from "jwt-decode"; 2 3const token = "eyJhsw5c"; 4const decoded = jwtDecode<JwtPayload>(token); // Returns with the JwtPayload type
Use as a CommonJS package
1const { jwtDecode } = require('jwt-decode'); 2...
Include with a script tag
Copy the file jwt-decode.js from the root of the build/esm folder to your project somewhere, then import jwtDecode from it inside a script tag that's marked with type="module":
1<script type="module"> 2 import { jwtDecode } from "/path/to/jwt-decode.js"; 3 4 const token = "eyJhsw5c"; 5 const decoded = jwtDecode(token); 6</script>
Feedback
Contributing
We appreciate feedback and contribution to this repo! Before you get started, please see the following:
Raise an issue
To provide feedback or report a bug, please raise an issue on our issue tracker.
Vulnerability Reporting
Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?
This project is licensed under the MIT license. See the LICENSE file for more info.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
all changesets reviewed
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/auth0/.github/.github/SECURITY.md:1
- Info: Found linked content: github.com/auth0/.github/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/auth0/.github/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/auth0/.github/.github/SECURITY.md:1
Reason
SAST tool detected
Details
- Info: SAST configuration detected: Snyk
- Warn: 0 commits out of 30 are checked with a SAST tool
Reason
dependency not pinned by hash detected -- score normalized to 6
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/jwt-decode/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/jwt-decode/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-release.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/jwt-decode/npm-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semgrep.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/jwt-decode/semgrep.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/snyk.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/auth0/jwt-decode/snyk.yml/main?enable=pin
- Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 1 third-party GitHubAction dependencies pinned
- Info: 1 out of 1 npmCommand dependencies pinned
Reason
5 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Reason
2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:11
- Warn: no topLevel permission defined: .github/workflows/npm-release.yml:1
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:10
- Warn: no topLevel permission defined: .github/workflows/semgrep.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/snyk.yml:17
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.2
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More