Access content and header without verifying the signature?

[babelouest]

Is there a way to access a JWT claim or a JWS content and the header, without having to use a public key?

The use case examples I'm thinking of is when the public key is embedded in the header, or when there's no need to verify the signature in general, just access the data.

[panva]

You can

• decode any JOSE token's protected header with jose/util/decode_protected_header
• use jose/jwk/embedded as the key-loading function when verifying tokens with embedded JWK
• (in node) use Buffer.from(payload, 'base64') to get whatever the payload is, no extra functionality necessary

[babelouest]

Thanks, it's not ideal, but it's a solution.

If I have the time to do it, would you accept a pull request for jwtVerify, so that for example if the parameter publicKey is null, it doesn't verify the signature but still returns {payload, protectedHeader}?

[panva]

No I would not. It was a conscious decision not to provide such API in the first place.

[babelouest]

No problem, thanks