@tilldev/auth-node
JWT verifier (EdDSA, JWKS-cached), Express middleware, Fastify hook, generic fetch-handler for Workers / Bun / Deno, and a cookie-mode proxy for HttpOnly sessions. No native dependencies.
pnpm add @tilldev/auth-nodeThe verifier
First call fetches the JWKS from<apiBase>/.well-known/jwks.json; thereafter it's cached and revalidated on kid miss. Verification is offline once the cache is warm — no per-request round trip to TillAuth.
Constructor options
appId— your TillAuth public ID. Required. Tokens for a different app are rejected withcode='wrong_app'.apiBase— override the API base. Defaults tohttps://auth.tilldev.dev.publicJwks— inline an array of JWK keys. Use this for air-gapped verification where the verifier can't reach TillAuth at startup.requireVerifiedEmail— reject tokens whose user hasn't completed email verification. Defaults to false.requireMfa— reject tokens whose primary signin wasn't MFA-challenged. Defaults to false.
Errors
TillAuthVerifyError with a typedcode: 'no_token', 'invalid_token', 'wrong_app', 'mfa_required', 'email_not_verified'.
Express middleware
Fastify hook
Workers · Bun · Deno · plain fetch
createFetchHandler returns a(req: Request) => Promise<Response | null>you can drop into any fetch-shaped runtime. It enforces verification and returns null on success (so you fall through to your handler):
Cookie-mode proxy
Pair this with @tilldev/auth-react'ssessionMode: 'cookie'. The proxy receives the same-site requests from the SDK, forwards them to TillAuth, and translates the responses into Set-Cookie for HttpOnly access and refresh cookies. Tokens never live in JavaScript.
Cookies are set HttpOnly, Secure (in prod), SameSite=Lax, with the access cookie's TTL aligned to the JWT exp and the refresh cookie's to 30 days.
Inline keys (air-gapped)
If your verifier can't reach TillAuth at startup, fetch the JWKS once and pass it in:
Rotation is your responsibility in this mode — re-deploy with the new JWKS during the 24-hour overlap window.
Performance notes
- Verification is ~150μs after the JWKS cache is warm. Cold-path adds the first JWKS fetch (one round trip, then cached).
- The verifier is safe to share across requests — no per-request state.
- On a
kidmiss (key rotation), JWKS is re-fetched lazily. The 24-hour overlap window means you should never see this happen on a hot token.
Browser side: @tilldev/auth-react.