Parses a Compact JWS without verifying its signature to extract protected header and payload. If the header indicates zip: 'DEF', the payload will be decompressed. This is safe for metadata discovery (e.g., resolving JWKS by iss/kid) but MUST NOT be used to trust content.
JWS string to parse
Promise resolving to header and payload objects
PayloadValidationError When JWS string is invalid
JWSError When JWS parsing fails
Signs a JWT payload using ES256 algorithm.
JWT payload to sign
ES256 private key (CryptoKey, Uint8Array, PEM string, or JsonWebKey)
ES256 public key for key ID derivation (CryptoKey, Uint8Array, PEM string, or JsonWebKey)
Optional
enableCompression?: booleanWhether to compress payload with raw DEFLATE (default: true).
When enableCompression
is true, compresses payload before signing and sets zip: "DEF"
.
Promise resolving to JWS string
PayloadValidationError When payload structure validation fails
JWSError When signing fails or key import fails
Verifies a JWS and returns the decoded payload.
JWS string to verify
ES256 public key for verification (CryptoKey, Uint8Array, PEM string, or JsonWebKey)
Optional
config: { verifyExpiration?: boolean }Optional
verifyExpiration?: booleanWhether to verify the JWT exp
claim during verification.
When true (default), expired health cards will be rejected.
Set to false to allow expired cards to be accepted.
Promise resolving to decoded JWT payload
SignatureVerificationError When JWS signature verification fails
ExpirationError When health card has expired
PayloadValidationError When payload structure validation fails
JWSError When other JWS processing fails
Handles JWT/JWS signing and verification with ES256 algorithm.