@koduhai/mcp-kit
    Preparing search index...

    Interface JwtVerifierOptions

    interface JwtVerifierOptions {
        algorithms?: string[];
        audience: string | string[];
        clockToleranceSeconds?: number;
        fetch?: (
            input: string | URL | Request,
            init?: RequestInit,
        ) => Promise<Response>;
        issuer: string;
        jwksUri?: string;
        key?: JWTVerifyGetKey;
        scopeClaim?: string;
        timeoutMs?: number;
    }
    Index

    Properties

    algorithms? audience clockToleranceSeconds? fetch? issuer jwksUri? key? scopeClaim? timeoutMs?

    Properties

    algorithms?: string[]

    Allowed signing algorithms. Default ['RS256', 'ES256']. Never allow none.

    audience: string | string[]

    Expected audience (aud): your MCP server's resource identifier (RFC 8707). A token minted for a different resource is rejected, which is what stops token-passthrough attacks.

    clockToleranceSeconds?: number

    Clock skew tolerance in seconds for exp/nbf. Default 5.

    fetch?: (input: string | URL | Request, init?: RequestInit) => Promise<Response>

    Injectable fetch for issuer discovery and the JWKS request.

    issuer: string

    Expected token issuer (iss). Also used to auto-discover the JWKS if jwksUri is omitted.

    jwksUri?: string

    JWKS URI. If omitted it is discovered from the issuer's AS metadata (jwks_uri).

    key?: JWTVerifyGetKey

    Provide the key directly (a KeyLike/JWKS/resolver) instead of discovering it. Mainly for tests.

    scopeClaim?: string

    Claim to read scopes from. By default tries scope (space-delimited) then scp (array).

    timeoutMs?: number

    Timeout (ms) for JWKS fetch and issuer discovery. Default 10000.

    Settings

    Member Visibility

    On This Page

    Properties