api-auth
@rtorcato/api-auth provides framework-agnostic helpers for signing and verifying
JWTs, plus extractors that pull a token from an Authorization header or cookie.
It wraps jsonwebtoken and throws UnauthorizedError on invalid tokens so
error-handling middleware downstream handles the 401 automatically.
Install
pnpm add @rtorcato/api-auth
jsonwebtoken is bundled. No peer dependency needed.
Sign a token
import { signToken } from '@rtorcato/api-auth'
const token = signToken({ sub: user.id, role: user.role }, process.env.JWT_SECRET, {
expiresIn: '15m',
})
Verify a token
import { verifyToken } from '@rtorcato/api-auth'
const payload = verifyToken(token, process.env.JWT_SECRET)
// payload is jwt.JwtPayload
// throws UnauthorizedError('Invalid or expired token') on failure
Pass a generic to type the payload:
interface Claims { sub: string; role: string }
const claims = verifyToken<Claims>(token, secret)
Extract a token from a request
findToken checks Authorization: Bearer <token> first, then falls back to a
cookie:
import { findToken } from '@rtorcato/api-auth'
// in any HTTP handler that exposes headers + cookies
const token = findToken(req, { cookieName: 'access_token' })
// cookieName defaults to 'token' if omitted
findRefreshToken reads only from cookies:
import { findRefreshToken } from '@rtorcato/api-auth'
const refresh = findRefreshToken(req, { cookieName: 'refresh_token' })
// cookieName defaults to 'refreshToken' if omitted
Both return undefined when no token is found — callers decide whether to error.
Re-exported types
import type { JwtPayload, SignOptions, VerifyOptions, Secret } from '@rtorcato/api-auth'
These are re-exported directly from jsonwebtoken so consumers don't need to
install it separately just for the types.
Related
- api-auth-express — drop-in Express middleware built on top of this