Skip to main content

Configuration

Default configuration keys for @quik/authorization. See Config Keys for the full generated table.

  • auth.jwt.secret (JWT_SECRET, default thisisasecret) — signing secret. Change this in every non-development environment.
  • auth.jwt.issuer / auth.jwt.audience (JWT_ISSUER / JWT_AUDIENCE) — values embedded in and verified against signed tokens.
  • auth.jwt.expireTime (JWT_EXPIRE_TIME, default 1d) — default token lifetime.
  • auth.jwt.rememberMeTime (JWT_REMEMBER_ME_TIME, default 1y) — lifetime used when the rememberMe option is passed to Utils.JWT.sign.
  • auth.jwt.algorithm (JWT_ALGORITHM, default HS256) — signing algorithm; use RS256 for RSA key pairs.
  • auth.authorization.fields.permission (AUTH_CHECK_FIELD, default permissions) — field read from the user payload by permission checks.
  • auth.authorization.fields.assuranceLevel (AUTH_AUTHORIZATION_ASSURANCE_LEVEL_FIELD, default assuranceLevel) — field used by AuthDecorators.RequireAssuranceLevel.
  • auth.authorization.fields.authenticationMethods / auth.authorization.fields.completedFactors — fields combined by AuthDecorators.RequireAnyFactor/RequireAllFactors to determine which factors a user has completed.

Notes

  • Defaults are loaded on import, so auth.jwt.* and auth.authorization.fields.* are available as soon as @quik/authorization is imported.
  • There is no default JWT secret suitable for production — auth.jwt.secret must be overridden via JWT_SECRET or a config file outside local development.