jwtDecrypt returns protected header, but payload is undefined

[brandonwind]

I'm attempting to use jwtDecrypt per the example here. The protected header is returned as expected, but the payload is undefined.

I assume I'm doing something wrong with the key I'm using? I've been given a string and am supposed to use its SHA256 hash to decrypt.

Sample JWT:

eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiJjX05ReXVrU19BU3Y1ZUc5IiwidGFnIjoiT2xLR1RIakhacmhkZ0puYks1NURndyJ9.5AwrO4lZpv0ntzSQVhVHwuo6p5otzSC2dacgEqqNFjU.gYy-6cyyQ9Z4mk5r.zj_jXLbBtIcd8UR1sjRPcupTwUeujR0uLatDcIZVjg_V1uI1HyOx82LNxG4fkSVOTP0ReQaR8Ey2SvEGx5lWt6v-vHsmGjof1HlhGLXtHo0XhnuSN38FOM7-dBh4kqIQEVritDF1PIRZTZxryeWALSaiyraNxkxEeGZljWRw6b85JABxfoGlevRrfdFWOkycc1Y42bI1ULfv5NSFyxA0CfFZpqcfx2d_TFeHW_Bp7yF2zwYh-o7qIO8yYpDbyrmg2wabOIzRHn4ZeokZZaJwcEWucL127qX4_Unm-uTlQRsOKV0CsXXkpzF-Vd-DCsZFQMQeb3pYQ6dq5_k5hJcbdpztCNnlsN3kEXTREaOothXoecpA6GGiRp2qZZjFDgTVkgAET-NbayGzq1nr4yipMR3AWIEjWp_1ZEnVsF6ZYclEnnffBw21ok0ow9-Dt6IfzYMzErN6KNq8xKqk3U7FnaM8ZFwqh2kx7YpMNbMVDotOJSJobfopXc65kw5K24OJlHC8p3yhRaSDHI3Vd7c7qKHjMQlD5dm4Pob9mjvqvRcJrhtU06ti-QpEMyhV3qa73CEwWqkw1Iezfc_XgXgyG8sOaQCHRWlK_QYqErF02y6OwV_yiacVJ8UR5cMLiwgyxUBkunSJNgBTETBCgZ5O9t5V-iBxJoIvTbnezay8ybZenEAXi3nfuySq5xo6x1I3L5WZeEJHqJQ50oMOR3PEqI5uKUjUtA2EqVDLinnSDRg6S7WTScL8U4zTiWgEOkdd_uyszrU8R-kQgXWRtSsZoftfVR4n3dVB0RVXhIi03DH2KVuvD9NSRYuoxoyk7TATqdxQ9x7YLZcvVYusCZ7_3pGXF3x8ukCsp_h8sFH8PpgCNRp15RADX3RpSx-M0WGN1esIqR-mpCNgL84Ls6hewlWEtEB9xhETZ4eFwEeoYfUntBA5w5wuKWO2LlLV9TtTQ2WA3Z0sFyOBf7lFzifrnJv5hG7sA8kK735NNDAS6R1VEAEqLp0uDfCBI3ca-jUL7xjN7JE09fAzqSqUxnsnGucBn67MeN_abeQLmEQkAChm3eACd5zKTA0l7tUTiXM8hQO7WJFAQwCXm_zCwZrcQjxu77t8Hf5m5xsBurc5jAATlP8ytcNvatuRF_zU63F4OGgede17jn55Xa9EY2sFCYIbfAcT-qA8xlyBiP6csikjsax_QieidrnAW5VyqeR8GELitHIAWu7sotSJd4_DKgj3HViNvBXx9XH1rk94Tq4HGljkyAopqm0HMjDyT8zbC1StcIwVmOOWsQmh4R1CvZtg-5CVFMN521Kk_pOca8cx0xKBg-TVx2aoJWbJP3XKSLmk0NPvN9q9Ef8W_Xjfshus4TzcYWQU02tVwa0Pbwa38LQz0MRqqMu2J80y9xaQPwWXy-ojmTNsa2jhDiydhbVSPNV9B5jlJDnlInlqdBxfO9roLY6P8Lh6W6A8DEgS-m7v7SyOMle90PNbabenfY87j3ejvRvFbQgKhV4uLFLi8Fjrfht1KZd8ri81gHx-vq-svRyk_gMLj9DWqBSyyFLja9Tgb3Zzs3k78vZUuvBltPTs_zPE4orqvX6jrcyh6K1_nGDApusyCIcb3LC725WUeS3zpMp4iHULxeDuoiDK5In3_5GHOtQ41xz3ICw5uScCgnesipoSit10y61A4AwE-EXbDT0bC0fewEoz3XUAOGrk1jujMW-xcsE5IZIaXfDIrS1R3ETQVrqRmV3Rp7mWV6M-pJfx5SYuwKKc_QYBfN3-D03T3gGz0zn8tv5WSv70iIbm28jKjtzuonPXll4bHqRh5guZ7F_nFNzDxqO-XPqLFfUKGbNl31_ZBGjuSfHJe0TtUTz-7A91-NOS0E7LTSANgEogvdC0N3554WYFiFxX62zmbHi-31h4WT29uh70KraOp_HMgk-EpyaHfhzwy4t5Ck_wjht11WiHlfKYjibDbNwoh0jakOjmH2FNyjgk2MxU4J3ojWfbK8M4eA0QpxZRfyOXWxwmfRn7qcr2_SgxduDIS6Ouz0kualk_wFQ5YN35MZjY3JA0H6QJVwmif8OCUJrvqDsszJ2t9QavmoHh-VHXP5fkpAe6AGGDZUWN58333CUzcKiO1zobdhk-ZOrhksk9k_aQzxnxZewmYvB4eNxvX3EMF9AzscfQuuWAzY1TPmlr9FlnrDtQmxXi8RrlmiSMAbLHMfRO39CtnDfPnS4hwFKH5m57_pLoLGRkCh92b3-8hzqLqVei62-KXz4ut-eho85Y_b_LFhfkZoXWWE7BSrOidJfVyuNOr_rO4E0r5kr-VOuzOCvrqMdIbr37SyFkAAMgLqVucVJEHN-GYkwUTLx0W52jFOhytLC7uFmgRM8m3MLitxWWZGGQDS0wdJd6aq4b8N06BcM5X6Hjg4uMPNB1BWYby8kpxvfNNYnlmcI7lM5t5xahNLm7ln2szZJJDR1Vz8fgNn7gkpRzZfSE4I40z72FWyvXnrUDmowSILaW9pFl7e1_gSn5VVN42JGxKJshKD_laz8ODtl6dvC95kSK92wrelLr38N2l3-am5VkRbXrzFqhxIcrKJrFLcMbGSjss-me02Pn_vmJf7CffsWlPJ9pg7nZvQiloZPwbIS07TP6eKbcvw_EFx7Ck6285AsWVHDN_xgkz_aujJMhNmQGbRoDk9fCYCY8u2-X5OlsLU4FkPe_VOO5XrMk0X579NVk4QVupx3_QCayq9eQzgcf1YbgaS2pcQgx9JVK3YOt1ZBnuAz6B1RTvZq27WMwQqxrU3TMnPV2WiXiHZCTsaJbJWE8wInnT3C5P5CiXKa3QhduOkUPU-7cyVDvw2y5J0Vd946HnZpHFDUwRcfJZeV4mCFE_gqu3qb4amh6WPPOtkS5wmxF0JbPwCG3T3v7_qC2bPkCZyC9ZiRBRgxk7uHuFzDrKkrKGdlk2lgAq3OqTlIwo6dGbuczEdWqB5L_U4i6o5AsBVaaKRLJw2U4XqPqpkFZmQ4d4eU-Fv2NHvmySw6MvE9XDWYzD1qtUGyPhM9txQ9I1g_cD4SbVxSJcqcRgGUXzxdrClWmnlL1R_Wk_S0EOUdlTOQwKFtG4N0HtR0PllJ6qaWLAvOqL-cfwWRGaIj2_r3v3oD9j9pegUnJ7w4u_EFMqjAebzNHci2MyCwqM0Sg1cHAJ2E4rJUOBTumaVT8Jg-bHn75z4UhVkOZvylpgMzcoSEkzUHwIQzq5pOkTApYoim_HR3Gj8Glrv8j8zMy1ca6hwvVcOw0WLy-7TXuDQ.vAqPmYbZiH5q1H1_T-tZlw

The protected header returned looks like:
{ alg: 'A256GCMKW', enc: 'A256GCM', iv: '2-_wx-RPWDQR02Ry', tag: 'PwLz9nI2qxZEZOB2ttefIA' }

Here is a sample of how I'm currently attempting to decrypt:

const jwt = "eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiJjX05ReXVrU19BU3Y1ZUc5IiwidGFnIjoiT2xLR1RIakhacmhkZ0puYks1NURndyJ9.5AwrO4lZpv0ntzSQVhVHwuo6p5otzSC2dacgEqqNFjU.gYy-6cyyQ9Z4mk5r.zj_jXLbBtIcd8UR1sjRPcupTwUeujR0uLatDcIZVjg_V1uI1HyOx82LNxG4fkSVOTP0ReQaR8Ey2SvEGx5lWt6v-vHsmGjof1HlhGLXtHo0XhnuSN38FOM7-dBh4kqIQEVritDF1PIRZTZxryeWALSaiyraNxkxEeGZljWRw6b85JABxfoGlevRrfdFWOkycc1Y42bI1ULfv5NSFyxA0CfFZpqcfx2d_TFeHW_Bp7yF2zwYh-o7qIO8yYpDbyrmg2wabOIzRHn4ZeokZZaJwcEWucL127qX4_Unm-uTlQRsOKV0CsXXkpzF-Vd-DCsZFQMQeb3pYQ6dq5_k5hJcbdpztCNnlsN3kEXTREaOothXoecpA6GGiRp2qZZjFDgTVkgAET-NbayGzq1nr4yipMR3AWIEjWp_1ZEnVsF6ZYclEnnffBw21ok0ow9-Dt6IfzYMzErN6KNq8xKqk3U7FnaM8ZFwqh2kx7YpMNbMVDotOJSJobfopXc65kw5K24OJlHC8p3yhRaSDHI3Vd7c7qKHjMQlD5dm4Pob9mjvqvRcJrhtU06ti-QpEMyhV3qa73CEwWqkw1Iezfc_XgXgyG8sOaQCHRWlK_QYqErF02y6OwV_yiacVJ8UR5cMLiwgyxUBkunSJNgBTETBCgZ5O9t5V-iBxJoIvTbnezay8ybZenEAXi3nfuySq5xo6x1I3L5WZeEJHqJQ50oMOR3PEqI5uKUjUtA2EqVDLinnSDRg6S7WTScL8U4zTiWgEOkdd_uyszrU8R-kQgXWRtSsZoftfVR4n3dVB0RVXhIi03DH2KVuvD9NSRYuoxoyk7TATqdxQ9x7YLZcvVYusCZ7_3pGXF3x8ukCsp_h8sFH8PpgCNRp15RADX3RpSx-M0WGN1esIqR-mpCNgL84Ls6hewlWEtEB9xhETZ4eFwEeoYfUntBA5w5wuKWO2LlLV9TtTQ2WA3Z0sFyOBf7lFzifrnJv5hG7sA8kK735NNDAS6R1VEAEqLp0uDfCBI3ca-jUL7xjN7JE09fAzqSqUxnsnGucBn67MeN_abeQLmEQkAChm3eACd5zKTA0l7tUTiXM8hQO7WJFAQwCXm_zCwZrcQjxu77t8Hf5m5xsBurc5jAATlP8ytcNvatuRF_zU63F4OGgede17jn55Xa9EY2sFCYIbfAcT-qA8xlyBiP6csikjsax_QieidrnAW5VyqeR8GELitHIAWu7sotSJd4_DKgj3HViNvBXx9XH1rk94Tq4HGljkyAopqm0HMjDyT8zbC1StcIwVmOOWsQmh4R1CvZtg-5CVFMN521Kk_pOca8cx0xKBg-TVx2aoJWbJP3XKSLmk0NPvN9q9Ef8W_Xjfshus4TzcYWQU02tVwa0Pbwa38LQz0MRqqMu2J80y9xaQPwWXy-ojmTNsa2jhDiydhbVSPNV9B5jlJDnlInlqdBxfO9roLY6P8Lh6W6A8DEgS-m7v7SyOMle90PNbabenfY87j3ejvRvFbQgKhV4uLFLi8Fjrfht1KZd8ri81gHx-vq-svRyk_gMLj9DWqBSyyFLja9Tgb3Zzs3k78vZUuvBltPTs_zPE4orqvX6jrcyh6K1_nGDApusyCIcb3LC725WUeS3zpMp4iHULxeDuoiDK5In3_5GHOtQ41xz3ICw5uScCgnesipoSit10y61A4AwE-EXbDT0bC0fewEoz3XUAOGrk1jujMW-xcsE5IZIaXfDIrS1R3ETQVrqRmV3Rp7mWV6M-pJfx5SYuwKKc_QYBfN3-D03T3gGz0zn8tv5WSv70iIbm28jKjtzuonPXll4bHqRh5guZ7F_nFNzDxqO-XPqLFfUKGbNl31_ZBGjuSfHJe0TtUTz-7A91-NOS0E7LTSANgEogvdC0N3554WYFiFxX62zmbHi-31h4WT29uh70KraOp_HMgk-EpyaHfhzwy4t5Ck_wjht11WiHlfKYjibDbNwoh0jakOjmH2FNyjgk2MxU4J3ojWfbK8M4eA0QpxZRfyOXWxwmfRn7qcr2_SgxduDIS6Ouz0kualk_wFQ5YN35MZjY3JA0H6QJVwmif8OCUJrvqDsszJ2t9QavmoHh-VHXP5fkpAe6AGGDZUWN58333CUzcKiO1zobdhk-ZOrhksk9k_aQzxnxZewmYvB4eNxvX3EMF9AzscfQuuWAzY1TPmlr9FlnrDtQmxXi8RrlmiSMAbLHMfRO39CtnDfPnS4hwFKH5m57_pLoLGRkCh92b3-8hzqLqVei62-KXz4ut-eho85Y_b_LFhfkZoXWWE7BSrOidJfVyuNOr_rO4E0r5kr-VOuzOCvrqMdIbr37SyFkAAMgLqVucVJEHN-GYkwUTLx0W52jFOhytLC7uFmgRM8m3MLitxWWZGGQDS0wdJd6aq4b8N06BcM5X6Hjg4uMPNB1BWYby8kpxvfNNYnlmcI7lM5t5xahNLm7ln2szZJJDR1Vz8fgNn7gkpRzZfSE4I40z72FWyvXnrUDmowSILaW9pFl7e1_gSn5VVN42JGxKJshKD_laz8ODtl6dvC95kSK92wrelLr38N2l3-am5VkRbXrzFqhxIcrKJrFLcMbGSjss-me02Pn_vmJf7CffsWlPJ9pg7nZvQiloZPwbIS07TP6eKbcvw_EFx7Ck6285AsWVHDN_xgkz_aujJMhNmQGbRoDk9fCYCY8u2-X5OlsLU4FkPe_VOO5XrMk0X579NVk4QVupx3_QCayq9eQzgcf1YbgaS2pcQgx9JVK3YOt1ZBnuAz6B1RTvZq27WMwQqxrU3TMnPV2WiXiHZCTsaJbJWE8wInnT3C5P5CiXKa3QhduOkUPU-7cyVDvw2y5J0Vd946HnZpHFDUwRcfJZeV4mCFE_gqu3qb4amh6WPPOtkS5wmxF0JbPwCG3T3v7_qC2bPkCZyC9ZiRBRgxk7uHuFzDrKkrKGdlk2lgAq3OqTlIwo6dGbuczEdWqB5L_U4i6o5AsBVaaKRLJw2U4XqPqpkFZmQ4d4eU-Fv2NHvmySw6MvE9XDWYzD1qtUGyPhM9txQ9I1g_cD4SbVxSJcqcRgGUXzxdrClWmnlL1R_Wk_S0EOUdlTOQwKFtG4N0HtR0PllJ6qaWLAvOqL-cfwWRGaIj2_r3v3oD9j9pegUnJ7w4u_EFMqjAebzNHci2MyCwqM0Sg1cHAJ2E4rJUOBTumaVT8Jg-bHn75z4UhVkOZvylpgMzcoSEkzUHwIQzq5pOkTApYoim_HR3Gj8Glrv8j8zMy1ca6hwvVcOw0WLy-7TXuDQ.vAqPmYbZiH5q1H1_T-tZlw"
const secret = "some_string_here"
const hash = CryptoJS.SHA256(secret);
const buffer = Buffer.from(hash.toString(CryptoJS.enc.Hex), "hex");
const array = new Uint8Array(buffer);

const { payload, protectedHeader } = await jose.jwtDecrypt(jwt, array);
console.log(protectedHeader);
console.log(payload);

Am I correct to assume that the reason I'm not receiving any errors and am just getting undefined is because there is an issue with my key? If so, what is the best way to use a SHA256 hash of a string as a key for decryption?

[panva]

Please provide a reproduction code example. Always provide minimal reproduction samples if you're asking for help.

[brandonwind]

@panva Sorry, attached a code sample in the original question. Thank you!

[panva]

A reproduction sample with an actual secret that I can decrypt with would go a long way. This does not help much.

Either way tho, if decryption would fail you would get a rejection and an error, not an undefined payload.