Lines 265-305typescript
266* // Explicit override.
267* const jwk2 = await importPEM(pemString, "RS256", { pemType: "x509" });
270declare function importPEM<T extends JWK>(pem: string, alg: JWKPEMAlgorithm, options?: {
271 /** PEM type. Inferred from the PEM label when omitted. */pemType?: "pkcs8" | "spki" | "x509"; /** Additional JWK properties merged into the exported key (e.g. `kid`). */
272 jwkParams?: Omit<JWKParameters, "alg" | "kty" | "key_ops" | "ext">;
275* @deprecated Use {@link importPEM} instead. `pemType` has moved into the options object and
276* is now inferred from the PEM label by default.
278declare function importFromPEM<T extends JWK>(pem: string, pemType: "pkcs8" | "spki" | "x509", alg: JWKPEMAlgorithm, options?: {
279 jwkParams?: Omit<JWKParameters, "alg" | "kty" | "key_ops" | "ext">;
282* Exports a JWK to a PEM-encoded string.
284* The PEM format is inferred from the JWK shape:
285* - JWK with `d` (private component) → PKCS#8 (`-----BEGIN PRIVATE KEY-----`)
CriticalCritical Secret
Package contains a critical-looking secret pattern.
dist/core/jwk.d.mtsView on unpkg · L285 286* - JWK without `d` → SubjectPublicKeyInfo (`-----BEGIN PUBLIC KEY-----`)
288* X.509 certificate export is intentionally not supported: a certificate carries metadata
289* (subject/issuer DNs, validity window, extensions) and a CA signature that a JWK cannot provide.
290* Producing a cert is a CA operation, not a key-format conversion.
292* Symmetric `oct` JWKs cannot be exported to PEM — PKCS#8/SPKI are asymmetric-key formats.
294* @param jwk The JWK to export. Must not be `kty: "oct"`.
296* - `pemFormat?` — force the output format. Inferred from the JWK shape when omitted.
297* - `alg?` — algorithm hint used only when `jwk.alg` is absent (both `kty: "RSA"` / `"EC"` /
298* `"OKP"` JWKs need an algorithm to be round-tripped through `crypto.subtle.importKey`).
299* @throws `JWTError("ERR_JWK_UNSUPPORTED")` for `oct` JWKs, or an unrecognised `pemFormat`.
300* @throws `JWTError("ERR_JWK_INVALID")` if the JWK requires an `alg` hint that was not supplied,
301* or if `pemFormat` is forced to a value incompatible with the JWK's public/private shape.
305* // Inferred — private JWKs become PKCS#8, public JWKs become SPKI.