Security

JWT Authentication

Secure routes with JSON Web Tokens.

JWT

The @bklarjs/jwt package provides middleware for validating JSON Web Tokens. It integrates with ctx.state to make the user payload easily accessible.

Installation

bun add @bklarjs/jwt jose
npm install @bklarjs/jwt jose

Usage

1. Protecting Routes

import { Bklar } from "bklar";
import { jwt } from "@bklarjs/jwt";

const app = Bklar();
const auth = jwt({ secret: "your-secret-key" });

app.get(
  "/profile",
  (ctx) => {
    // Available if token is valid
    const user = ctx.state.jwt;
    return ctx.json({ id: user.sub, role: user.role });
  },
  {
    middlewares: [auth],
  }
);

2. Signing Tokens

We export helper functions to sign tokens easily.

import { sign } from "@bklarjs/jwt";

app.post("/login", async (ctx) => {
  // ... validate user credentials ...

  const token = await sign(
    { sub: "123", role: "admin" }, // Payload
    "your-secret-key", // Secret
    { expiresIn: "2h" } // Options
  );

  return ctx.json({ token });
});

Configuration

OptionTypeDescription
secretstringRequired. The secret key used to sign tokens.
passthroughbooleanIf true, invalid tokens won't throw error (useful for optional auth).
getToken(ctx) => stringCustom function to extract token (default: Bearer header).

Helmet

Secure your app with HTTP headers (CSP, HSTS, XSS Protection).

Rate Limiting

Protect your API from brute-force attacks and abuse.

On this page

JWTInstallationUsage1. Protecting Routes2. Signing TokensConfiguration