From 4d5bc02151ea64307adb54b899228e0077504ad2 Mon Sep 17 00:00:00 2001
From: Bereket Engida <bekacru@gmail.com>
Date: Thu, 6 Mar 2025 00:50:38 +0300
Subject: [PATCH] fix(jwt): improve private key decryption error handling

---
 packages/better-auth/src/plugins/jwt/index.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/packages/better-auth/src/plugins/jwt/index.ts b/packages/better-auth/src/plugins/jwt/index.ts
index 5acc766be1..40421aec95 100644
--- a/packages/better-auth/src/plugins/jwt/index.ts
+++ b/packages/better-auth/src/plugins/jwt/index.ts
@@ -15,6 +15,7 @@ import {
 } from "../../api";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto";
 import { mergeSchema } from "../../db/schema";
+import { BetterAuthError } from "../../error";
 
 type JWKOptions =
 	| {
@@ -147,6 +148,10 @@ export async function getJwtToken(
 		? await symmetricDecrypt({
 				key: ctx.context.secret,
 				data: JSON.parse(key.privateKey),
+			}).catch(() => {
+				throw new BetterAuthError(
+					"Failed to decrypt private private key. Make sure the secret currently in use is the same as the one used to encrypt the private key. If you are using a different secret, either cleanup your jwks or disable private key encryption.",
+				);
 			})
 		: key.privateKey;