Meet owltokenguard
Issue, verify, rotate and revoke JWTs in Node.js without owning your persistence layer. Built to the OWASP JWT and session-management guidance and ASVS 5.0.
owltokenguard
@restingowlorg/owltokenguardAccess and refresh JWT issuance, refresh-token rotation, fail-shut verification, session revocation, reauthentication freshness, opaque reference tokens and optional AES-256-GCM payload encryption, all behind one typed API.
Generate access JWTs and optional refresh JWTs from one TokenManager.
One-time refresh consumption (RTR) with an OAuth-style token response.
Signature-first checks with issuer, audience, temporal, purpose and algorithm allowlists.
Revoke by jti, raw token, cutoff timestamp or custom policy. Persistence stays yours.
Stamp and enforce reauth_at so sessions go stale after email or MFA changes.
Drop-in verification middleware for both frameworks with a typed auth context.
Signature-first, fail-shut verification with algorithm allowlists, traced to the OWASP JWT Cheat Sheet, Session Management Cheat Sheet, ASVS 5.0 and OWASP Top 10:2025. See the full docs โ
What OwlTokenGuard Blocks
Every control is traced to a specific OWASP standard. No guesswork, no checkbox security.