Atlassian-jwt 2.0 Algorithm from the header "HS256" does not match

Recently I bumped atlassian-connect-express to 7.0.1 and atlassian-jwt to 2.0.0.

Now I see this message “Algorithm from the header “HS256” does not match” for each post install hook.

I copied samples from and created a minimal project to test it:

  "dependencies": {
    "atlassian-jwt": "^2.0.0",
    "esm": "^3.2.25",
    "moment": "^2.29.1"
import * as jwt from 'atlassian-jwt';
import moment from 'moment';

const now = moment().utc();

const req = jwt.fromMethodAndUrl('GET', '/rest/resource/you/want');

const tokenData = {
    "iss": 'issuer-val',
    "iat": now.unix(),                    // The time the token is generated
    "exp": now.add(3, 'minutes').unix(),  // Token expiry time (recommend 3 minutes after issuing)
    "qsh": jwt.createQueryStringHash(req) // [Query String Hash](

const secret = 'xxx';

const token = jwt.encodeSymmetric(tokenData, secret);

const decoded = jwt.decodeSymmetric(token, secret);
console.log(decoded); //=> { foo: 'bar' }

const decodedUnverifing = jwt.decodeSymmetric(token, null, true);
console.log(decodedUnverifing); //=> { foo: 'bar' }


$ node -r esm index.js
Error: Algorithm from the header "HS256" does not match
    at validateSymmetricAlgorithm (/private/tmp/node_modules/atlassian-jwt/dist/lib/jwt.js:279:15)
    at Proxy.jwt_decode_symmetric (/private/tmp/node_modules/atlassian-jwt/dist/lib/jwt.js:177:5)
    at Object.<anonymous> (/private/tmp/index.js:20:21)
    at (<anonymous>)

This is an exact the same error message I have in logs while trying to use jwt.decodeSymmetric.

Additionally, the documentation suggest, that decodeSymmetric does not require signedAlgorithm string as a parameter. Whereas ./dist/lib/jwt.d.ts:73 shows this definition:

export declare const decodeSymmetric: (token: string, key: string, signedAlgorithm: Algorithm, noVerify?: boolean | undefined) => any;

This seems to be a bug in the newly upgraded library. But I can’t create an issue there.

Anyone experienced else that?


I’m also seeing this with atlassian-jwt@2.0.1 but even just with jwt.decodeSymmetric(token, null, true)

I need to do more testing, but I treated it like the TypeScript examples so:

decoded = jwt.decodeSymmetric(token, null, jwt.SymmetricAlgorithm.HS256, true);


decoded = jwt.decodeSymmetric(token, secret, jwt.SymmetricAlgorithm.HS256);

@james.dellow The following works for me:

 const now = Math.floor( / 1000);
  const tokenData = {
    "iss": 'Document Data',
    "iat": `${now}`,        // The time the token is generated
    "exp": `${now + 180}`,  // Token expiry time (recommend 3 minutes - 180 secs after issuing)
    "tokentext": cleanText,
  const token = jwt.encodeSymmetric(tokenData, JWTHS256);

  const decoded = jwt.decodeSymmetric(token, JWTHS256, 'HS256');
1 Like

I can’t explain it :slight_smile:

I tested again using ‘HS256’ instead of jwt.SymmetricAlgorithm.HS256 and it now works.

1 Like

Except when I deployed to production and it failed. I reverted back to jwt.SymmetricAlgorithm.HS256 and it works.