JWT Payloads are missing using EncryptJWT

[cLonata]

When I tried to take a sneakpeek on https://jwt.io/ with the encrypted JWT, they gave me a warning like so:

Warning: Looks like your JWT payload is not a valid JSON object. JWT payloads must be top level JSON objects as per https://tools.ietf.org/html/rfc7519#section-7.2

This is my code:

const encryptedJWT = await new EncryptJWT(payload)
      .setProtectedHeader({ alg: 'dir', enc: 'A256CBC-HS512', kid: thumbprint })
      .setIssuedAt()
      .setExpirationTime(maxAge)
      .setJti(crypto.randomUUID())
      .encrypt(encryptionSecret);

And this is my test:

describe('Session Manager', () => {
  const sessionManager = new SessionManager();
  const payloadTest = 'test';
  const secrets = 'test-key';
  const maxAge = 5000;

  it('should create new session', async () => {
    const newSession = await sessionManager.encode({
      payload: { payloadTest },
      secret: secrets,
      maxAge: maxAge,
      salt: 'test-salt',
    });
    expect(newSession.success).to.be.true;
  })
});

I have tried to put the payload in the key-pair first inside the encode function, also gave me warnings. Is it perhaps due to the payload being encrypted?

[panva]

EncryptJWT produces a JWE style JWT, which is, well, actually encrypted and encoded suitable for encrypting your sessions that only you can decrypt wit. jwt.io does not support JWE tokens

SignJWT, far more commonly used (and misused) produces a JWS style JWT, which is, well, signed and encoded.

You're maybe thinking of signing a jwt, not encrypting it? I don't get the question otherwise. Yes the jwt is encrypted and so obviously its payload cannot be read without decrypting first.

[cLonata]

Thought so! I am learning JWT, JWE and JWS and was wondering why if I use the SignJWT I can read the payload but with the EncryptJWT I can't. Since you already mentioned that SignJWT is far more commonly misused, I hope that my approach is okay and not in the misused part of JWE? Thanks for the answer!

[panva]

As far as i was able to infer, if you're doing this on the server to encrypt your session that you'll smash into a cookie and your server is meant to read it? Then yeah, it's perfect for that.