RestingOwl owl logo RestingOwl

Meet owltokenguard

Issue, verify, rotate and revoke JWTs in Node.js without owning your persistence layer. Built to the OWASP JWT and session-management guidance and ASVS 5.0.

Install via npm
$ npm install @restingowlorg/owltokenguard

What OwlTokenGuard Blocks

Every control is traced to a specific OWASP standard. No guesswork, no checkbox security.

๐ŸŽญ
Token Forgery
Signature-first verification with strict algorithm allowlists rejects the none algorithm and algorithm confusion attacks.
OWASP A02:2021
๐Ÿ”
Refresh Token Replay
Refresh token rotation makes each refresh single-use, so a stolen or replayed token is detected and rejected.
OWASP A07:2021
๐Ÿšซ
No Way to Revoke
Revoke by jti, raw token, or cutoff timestamp through your own store, so access ends the moment you need it to.
OWASP A07:2021
โฑ๏ธ
Stale Sessions
Reauthentication freshness stamps and enforces reauth_at, so sessions go stale after email or MFA changes.
OWASP A07:2021
๐Ÿ“–
Secrets in Tokens
Optional AES-256-GCM payload encryption and clear guidance keep sensitive data out of readable token payloads.
OWASP A02:2021
๐Ÿ”“
Unchecked Tokens
Issuer, audience, expiry, and purpose are verified on every request, closing access paths that trust unverified tokens.
OWASP A01:2021

OwlTokenGuard FAQ

No. OwlTokenGuard owns token-level cryptography: JWT signing, verification, registered claims, purpose checks, optional payload encryption, and opaque reference tokens. Durable session storage stays yours: it exposes hooks such as onRefreshTokenIssued, consumeRefreshToken, and onSessionTerminate that you back with your own store or a session-management library.
HS256, HS512, RS256, and ES256. It defaults to RS256 at the library level. HS256/HS512 require a high-entropy HMAC secret of at least 64 characters, RS256 verification rejects keys below 2048 bits, and ES256 requires the P-256 (prime256v1) curve.
Refresh token rotation (RTR) means each refresh token is one-time use. When a client redeems a refresh token, OwlTokenGuard issues a new access and refresh pair in an OAuth-style token response and marks the old refresh token consumed, so a stolen or replayed refresh token is detected and rejected.
Yes. It ships verification middleware for both Express and Fastify with a typed auth context on the request. The core is framework-agnostic, so you can also use the TokenManager directly in any Node.js backend.
Copied!