authia 0.3.1

High-performance JWT verification library for Ed25519 using WebAssembly
Documentation

authia

English | 日本語

High-performance JWT verification library for Ed25519 using WebAssembly.

Features

  • 🚀 Fast Ed25519 JWT verification using Rust + WebAssembly
  • v0.3.0 Optimization: Single-pass JSON parsing for maximum performance
  • 🔒 Secure by design - algorithm fixed to Ed25519
  • 🌐 Universal runtime support (Node.js, Browser, Cloudflare Workers)
  • 📦 Zero runtime dependencies
  • 🎯 TypeScript type definitions included
  • ⚡ Automatic Wasm initialization

📊 Benchmarks

In environments like Cloudflare Workers or Edge runtimes, authia provides highly efficient execution by leveraging Rust's performance and minimal memory footprint.

Library Avg (ms) p50 (ms) p95 (ms)
authia (WASM) 0.20ms 0.17ms 0.36ms
jose (WebCrypto) 0.30ms 0.28ms 0.50ms

Tested with authia v0.3.0. Node.js native crypto may be faster due to C++ bindings, but authia is optimized for high-throughput WASM environments.

Installation

npm install authia

Usage

The library automatically detects the environment (Node.js or Bundler/Workers) and handles WebAssembly loading.

Access Token Verification

import { verifyAccessToken } from "authia";

try {
  // ⚡ RECOMMENDED: Use publicKeyJwkRaw for better performance (v0.2.0+)
  const payload = await verifyAccessToken(token, {
    publicKeyJwkRaw: process.env.JWT_PUBLIC_KEY, // Raw JWK JSON string
    audience: "kapock-app",
    issuer: "https://auth.kapock.com",
  });

  console.log(`User ID: ${payload.sub}, Email: ${payload.email}`);
} catch (error) {
  console.error("Token verification failed:", error);
}

Legacy (still supported, but slower):

// Base64-encoded JWK (backward compatible)
const payload = await verifyAccessToken(token, {
  publicKeyJwk: btoa(process.env.JWT_PUBLIC_KEY), // Requires base64 encoding
  audience: "kapock-app",
  issuer: "https://auth.kapock.com",
});

Refresh Token Verification

import { verifyRefreshToken } from "authia";

const payload = await verifyRefreshToken(token, {
  publicKeyJwkRaw: process.env.JWT_PUBLIC_KEY, // Use raw JWK for better performance
  audience: "kapock-app",
  issuer: "https://auth.kapock.com",
});

console.log(`JTI: ${payload.jti}`);

Performance Tips

  1. Use publicKeyJwkRaw instead of publicKeyJwk (2-5x faster in high-throughput scenarios)
  2. Cache your verification options at the worker/process level
  3. The library automatically caches the decoded public key internally
// Worker-level caching example (Cloudflare Workers)
let cachedPublicKey: string | null = null;

export async function verifyToken(token: string, env: Env) {
  if (!cachedPublicKey) {
    cachedPublicKey = env.JWT_PUBLIC_KEY.trim();
  }

  return verifyAccessToken(token, {
    publicKeyJwkRaw: cachedPublicKey, // Avoid repeated trim() calls
    audience: "kapock-app",
    issuer: "https://auth.kapock.com",
  });
}

Runtime Behavior

Node.js

Verification is synchronous. The WebAssembly module is loaded and instantiated at startup using the optimized Node.js target.

Cloudflare Workers / Bundlers

Verification is also synchronous. The library automatically handles WebAssembly instantiation during module load. The await in examples is supported but not strictly required for the verification itself (it returns the payload directly).

API

See API Documentation for detailed information.

License

MIT