How to catch an expired JWT on verify? #834

thaoms · 2025-12-04T10:20:28Z

thaoms
Dec 4, 2025

The docs are pretty vague or have no info on this, but is this way to catch an error thrown when a jwt is expired?
Is there an actual error thrown of this instance?

Assuming nothing is thrown the claim is always valid?

export async function verifyJWT(
  token: string,
  options: {
    issuer: string;
    audience?: string | string[];
    algorithms?: string[];
  },
): Promise<VerifiedJWTPayload> {


  // Ensure issuer has trailing slash
  const issuer = options.issuer.endsWith("/")
    ? options.issuer
    : `${options.issuer}/`;

  const jwks = getJWKS(issuer);

  const { payload } = await jwtVerify(token, jwks, {
    issuer,
    audience: options.audience,
    algorithms: options.algorithms || ["RS256"],
  });

  return payload;
}

...
try {
    // Try to verify the token (includes expiration check)
    await verifyJWT(account.id_token, {
      issuer: xxxxxx,
      audience: xxxxxx,
    });

    // Token is valid and not expired
     return account.id_token;
    
  } catch (error) {
    if (error instanceof JWTExpired && error.code === "ERR_JWT_EXPIRED") {
      console.warn("[Auth.js] Token expired; attempting refresh");
    } else {
      console.warn(
        "[Auth.js] Token signature verification failed;",
        error,
        "redirecting to sign-in",
      );

      throw error;
    }
...

chrislyons-dev · 2026-01-01T16:32:17Z

chrislyons-dev
Jan 1, 2026

jwtVerify throws when the token is expired.
The error is JWTExpired from jose/errors and its code is ERR_JWT_EXPIRED.
If nothing is thrown, then any exp claim that exists was valid at that moment.
If the token has no exp claim, jwtVerify won’t fail unless you require it.

Example:

import { jwtVerify } from 'jose';
import { JWTExpired } from 'jose/errors';

try {
  const { payload } = await jwtVerify(token, jwks, {
    issuer,
    audience,
    algorithms: ['RS256'],
    requiredClaims: ['exp'],
    // optional: maxTokenAge: '15m',
  });
  return payload;
} catch (err) {
  if (err instanceof JWTExpired) {
    // expired
  } else {
    // other verification errors
  }
}

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How to catch an expired JWT on verify? #834

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

How to catch an expired JWT on verify? #834

Uh oh!

Uh oh!

thaoms Dec 4, 2025

Replies: 1 comment

Uh oh!

chrislyons-dev Jan 1, 2026

thaoms
Dec 4, 2025

chrislyons-dev
Jan 1, 2026