@orangecheck/auth-core / verifyOcToken
Function: verifyOcToken()
function verifyOcToken(token: string, options?: VerifyOcOptions): Promise<SessionPayload | null>;
Defined in: src/index.ts:364
Verify a JWT issued by an OC auth host. Lazy-fetches the JWKS from
<issuer>/.well-known/jwks.json, picks the key whose kid matches
the token's protected header, and verifies the signature.
Returns the payload on success, null on any failure (bad signature,
expired, wrong issuer, kid not in JWKS, malformed). Never throws.
Integrators don't need to handle JWKs, env vars, or rotation — the cache picks up new keys automatically when they appear in the JWKS response. Stale tokens signed under a retired key continue to verify as long as the retired key is still published in the JWKS (standard key-rotation overlap window).
Parameters
| Parameter | Type |
|---|---|
token | string |
options | VerifyOcOptions |
Returns
Promise<SessionPayload | null>