How do I decode a JWT string using the `decode` function from `next-auth/jwt`? #12527

chrisidakwo · 2025-01-22T08:27:48Z

chrisidakwo
Jan 22, 2025

The next-auth/jwt decode function throws the error no matching decryption secret, even when all the right properties have been provided that I'm not sure how else to decode the token.

BACKGROUND:
I have a setup where I'm using jwt session strategy with the credentials provider to authenticate users. However, I want 3rd-party applications to be able to make authenticated API requests to my application using Bearer token. This is what the relevant parts of my auth config looks like:

const JWT_SECRET = process.env.AUTH_SECRET || '';

export const { auth, handlers, signIn } = NextAuth({
  secret: JWT_SECRET,
  session: {
    strategy: 'jwt',
  },
  providers: [
    CredentialsProvider({}),
  ],
});

Now, I have a function that wraps API endpoints requiring bearer authentication:

import { NextRequest, NextResponse } from 'next/server';
import { decode } from 'next-auth/jwt';
import { SESSION_TOKEN_NAME } from '../constants';

const secret = process.env.AUTH_SECRET || '';

export const withBearerAuth = async (params: { req: NextRequest, res?: NextResponse }, callback: (userId: string) => any) => {
    const authHeader = params.req.headers.get('Authorization');
    if (!authHeader || !authHeader.startsWith('Bearer ')) {
        return NextResponse.json(
            { error: 'Unauthenticated' },
            { status: 401 }
        );
    }

    const authToken = decodeURIComponent(authHeader.split(' ')[1]);

    try {
        const decoded = await decode({
            salt: SESSION_TOKEN_NAME,
            secret: secret,
            token: authToken,
        });

        console.log('decoded token', decoded);

        if (!decoded) {
            return NextResponse.json(
                { error: 'Unauthenticated' },
                { status: 401 }
            );
        }

        const userId = decoded.sub as string;

        return callback(userId);
    } catch (error) {
        console.log('error decoding token', error);

        return NextResponse.json(
            { error: 'Unauthenticated' },
            { status: 401 }
        );
    }
};

For some reason, the awaited decode call throws the error "no matching decryption secret" which I find strange because it's the same set of values the getToken() method uses internally to successfully decode a token. See line 185 in the screenshot.

Does anyone have an idea how to use the decode function?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

How do I decode a JWT string using the `decode` function from `next-auth/jwt`? #12527

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Uh oh!

How do I decode a JWT string using the decode function from next-auth/jwt? #12527

Uh oh!

Uh oh!

chrisidakwo Jan 22, 2025

Replies: 0 comments

How do I decode a JWT string using the `decode` function from `next-auth/jwt`? #12527

chrisidakwo
Jan 22, 2025