Parses a Compact JWS without verifying its signature to extract protected header and payload. If the header indicates zip: 'DEF', the payload will be decompressed. This is safe for metadata discovery (e.g., resolving JWKS by iss/kid) but MUST NOT be used to trust content.
Signs a JWT payload using ES256 algorithm.
JWT payload to sign
ES256 private key
ES256 public key (for key ID derivation)
OptionalenableCompression?: booleanWhether to compress payload with raw DEFLATE (default: true).
When enableCompression is true, compresses payload before signing and sets zip: "DEF".
Promise resolving to JWS string
JWSError When signing fails, key import fails, or payload is invalid
Verifies a JWS and returns the decoded payload.
JWS string to verify
ES256 public key for verification
Optionalconfig: { verifyExpiration?: boolean }OptionalverifyExpiration?: booleanWhether to verify the JWT exp claim during verification.
When true (default), expired health cards will be rejected.
Set to false to allow expired cards to be accepted.
Promise resolving to decoded JWT payload
JWSError When verification fails or JWS is invalid
Handles JWT/JWS signing and verification with ES256 algorithm.