fix:alg is now required in jwt middleware (#804)

VegBean · web-flow · commit f2d88204450d · 2026-02-02T00:18:21.000+09:00
diff --git a/docs/middleware/builtin/jwt.md b/docs/middleware/builtin/jwt.md
@@ -29,6 +29,7 @@ app.use(
   '/auth/*',
   jwt({
     secret: 'it-is-very-secret',
+    alg: 'HS256',
   })
 )
 
@@ -46,6 +47,7 @@ app.use(
   '/auth/*',
   jwt({
     secret: 'it-is-very-secret',
+    alg: 'HS256',
     issuer: 'my-trusted-issuer',
   })
 )
@@ -64,6 +66,7 @@ app.get('/auth/page', (c) => {
 app.use('/auth/*', (c, next) => {
   const jwtMiddleware = jwt({
     secret: c.env.JWT_SECRET,
+    alg: 'HS256',
   })
   return jwtMiddleware(c, next)
 })
@@ -77,15 +80,15 @@ app.use('/auth/*', (c, next) => {
 
 A value of your secret key.
 
-### <Badge type="info" text="optional" /> cookie: `string`
+### <Badge type="danger" text="required" /> alg: `string`
 
-If this value is set, then the value is retrieved from the cookie header using that value as a key, which is then validated as a token.
+An algorithm type that is used for verifying.
 
-### <Badge type="info" text="optional" /> alg: `string`
+Available types are `HS256` | `HS384` | `HS512` | `RS256` | `RS384` | `RS512` | `PS256` | `PS384` | `PS512` | `ES256` | `ES384` | `ES512` | `EdDSA`.
 
-An algorithm type that is used for verifying. The default is `HS256`.
+### <Badge type="info" text="optional" /> cookie: `string`
 
-Available types are `HS256` | `HS384` | `HS512` | `RS256` | `RS384` | `RS512` | `PS256` | `PS384` | `PS512` | `ES256` | `ES384` | `ES512` | `EdDSA`.
+If this value is set, then the value is retrieved from the cookie header using that value as a key, which is then validated as a token.
 
 ### <Badge type="info" text="optional" /> headerName: `string`
 
@@ -96,6 +99,7 @@ app.use(
   '/auth/*',
   jwt({
     secret: 'it-is-very-secret',
+    alg: 'HS256',
     headerName: 'x-custom-auth-header',
   })
 )
