X Enterprises
fastify-xauth-jwks

decodeHeader

Decode a JWT header without signature verification — re-export of jose.decodeProtectedHeader.

decodeHeader

Decode the protected header of a JWT string without verifying its signature. A re-export of jose.decodeProtectedHeader. Useful for inspecting the signing algorithm (alg) and key ID (kid) before verification.

Warning: This function does not validate the token. Use it only for inspection, never as a security check.

Signature

import { decodeHeader } from "@xenterprises/fastify-xauth-jwks/utils";

decodeHeader(token: string): ProtectedHeaderParameters

Params

NameTypeRequiredDescription
tokenstringYesRaw JWT string to decode.

Returns

object — The decoded JWT header, typically containing:

PropertyTypeDescription
algstringSigning algorithm (e.g., "RS256", "ES256").
kidstringKey ID used to select the correct JWK from a JWKS.
typstringToken type, usually "JWT".

Throws

Throws if token is not a valid JWT string.

Examples

Basic — log the algorithm and key ID of incoming tokens

import { decodeHeader, extractToken } from "@xenterprises/fastify-xauth-jwks/utils";

fastify.addHook("onRequest", async (request) => {
  const token = extractToken(request);
  if (token) {
    try {
      const header = decodeHeader(token);
      fastify.log.debug({ alg: header.alg, kid: header.kid }, "JWT header");
    } catch {
      // ignore malformed tokens — verification will reject them
    }
  }
});

Realistic — route to the correct path validator based on the key ID

import { decodeHeader, extractToken } from "@xenterprises/fastify-xauth-jwks/utils";

fastify.addHook("preValidation", async (request, reply) => {
  const token = extractToken(request);
  if (!token) return;

  const header = decodeHeader(token);

  if (header.kid?.startsWith("admin-")) {
    const payload = await fastify.xAuth.validators.admin.verifyJWT(token);
    if (!payload) return reply.code(401).send({ error: "Invalid admin token" });
    request.user = payload;
    request.auth = { path: "admin", userId: payload.sub, payload };
  }
});

See Also

  • decodeToken — Decode the JWT payload without verification
  • verifyJWT — Cryptographically verify a token against a path's JWKS
  • extractToken — Extract the raw token string from a request

AI Context

package: "@xenterprises/fastify-xauth-jwks"
import: decodeHeader from "@xenterprises/fastify-xauth-jwks/utils"
use-when: Decode JWT header (algorithm, kid, typ) without signature verification
returns: decoded header object | null

fastify-xauth-jwks

Path-based JWT/JWKS validation for Fastify v5. Protect multiple route prefixes with independent JWKS providers.

decodeToken

Decode a JWT payload without signature verification — re-export of jose.decodeJwt.

Copyright © 2026