Interface KeyStore

interface KeyStore {
    algorithm: Algorithm;
    getSigningKidFallback(): string;
    getVerificationKey(kid: string): Promise<KeyLike>;
    getVerificationKeys(): Promise<ManagedKey[]>;
    sign(options: SignJwtOptions): Promise<string>;
}

Index

Properties

Methods

getSigningKidFallback getVerificationKey getVerificationKeys sign

Properties

`Readonly`algorithm

algorithm: Algorithm

Methods

getSigningKidFallback

getSigningKidFallback(): string
Returns the current signing kid as a fallback for verifying legacy/malformed tokens that lack a kid header. Do not use for rotation-safe lookup — for rotation, pass the token's own kid to getVerificationKey(kid).

MUST be synchronous and cheap. Remote-sign adapters (KMS/HSM) must cache the current kid locally and return it without any remote call. Never exposes private key material.

Returns string
- Defined in packages/core/src/keys/KeyStore.mts:103

getVerificationKey

getVerificationKey(kid: string): Promise<KeyLike>
Specific kid's public key. Throws on unknown or expired kid.
Parameters
- kid: string
Returns Promise<KeyLike>
- Defined in packages/core/src/keys/KeyStore.mts:107

getVerificationKeys

getVerificationKeys(): Promise<ManagedKey[]>
Active verification keys for JWKS endpoint. Remote adapters may fetch + cache.

Returns Promise<ManagedKey[]>
- Defined in packages/core/src/keys/KeyStore.mts:105

sign

sign(options: SignJwtOptions): Promise<string>
Sign claims and return a compact JWT. The KeyStore self-injects alg and kid into the protected header; callers may set only typ. Remote-sign adapters (KMS/HSM) perform the remote call here.
Parameters
- options: SignJwtOptions
Returns Promise<string>
- Defined in packages/core/src/keys/KeyStore.mts:92