JCC Express

JWT

Introduction

JCC Express MVC uses JSON Web Tokens (JWT) as the core auth token package surface.

Primary helpers:

  • jwtSign(payload, options?)
  • jwtVerify(token)
  • jwtTokenType(payload)
  • checkJwtAccessTokenPayload(payload)
  • jwtSubjectId(payload)

These are implemented in jcc-express-mvc/lib/util/index.ts.

Basic usage

TypeScript

Token types

The framework distinguishes token kinds by typ:

  • access
  • refresh
  • legacy (when typ is not present)

Auth guards and middleware validate that protected routes receive access-token payloads.

Cookies used by auth

JWTs are typically transported as:

  • auth_token (access)
  • refresh_token (refresh)

Cookie options are centralized by authSessionCookieOptions() in the util/auth flow.

CLI for secret generation

Generate JWT secret values with:

Bash

Useful variants:

Bash

Security notes

  • JWT signing uses JWT_SECRET
  • production safety checks enforce strong secret values
  • keep JWT_SECRET private and long enough for production

For full authentication flow (login, refresh, logout), see final-documentation/Security/Authentication.md.