🚀 Feature Request: Create free JWT decryption service or give one free service worker

[VR-Architect]

Describe the solution

In an effort to promote the use of use of JWT for security it would be very appreciated if Cloudflare either:

• Created a decryption service and make it available for no counts against our worker hit counts, or
• Allowed us to define one service as a security validation service and have it removed from our worker hit counts

Why?
In order to promote code reuse, we have separated our decryption service to a service worker. That service worker is called with almost every other public call to our other workers so we can validate the security token. This results in two hits to our purchased worker hit counts for every call to our API instead of one. Of course, we could copy-paste the code snippet into every worker we have, but then we would also have to edit the secret variable for everyone of them too which would be very painful. It would really help if Cloudflare could actually write and own this special service so we all have your best security practices in place. If that is not an option, then allowing us to define one security service with the following rules would be awesome:

• The service worker cannot be accessed from the internet
• The service worker can only accept a JWT token
• The service worker cannot access any other services, KV, D1, etc.
• The service worker must run within a certain defined period of ms and be of a very small size.
• The service worker JWT decryption key is defined as a secret variable

I estimate with about 21,000 daily active customers, they will make a minimum of 30 API calls per day. This results in 630k calls per day and 18.9M per month without using a separate service worker. If we use a separate service worker, those values double. Of course, the 30 calls a day is a minimum just to log in and look around. It doesn't account for users staying and using our services for longer.

Here is the code we have started with:

import jwt from '@tsndr/cloudflare-worker-jwt'

export default {
    async fetch(request, env) {
        const tokenField = request.headers.get('authorization')

        // Remove the "bearer" label
        const token = tokenField.substring(6).trim();

        try {
            // NOTE: Validate also checks the timestamp TTL 
            const isValid = await jwt.verify(token, env.JWT_TOKEN_KEY, { algorithm: 'HS256' }) 
            if (!isValid) {
                return new Response('Invalid Java Web Token (JWT) 1.', { status: 403 });
            }
            else {
                const { payload } = jwt.decode(token)       
                return new Response(JSON.stringify(payload), { status: 200 })
            }
        } catch (e) {            
            return new Response('Invalid Java Web Token (JWT) 2.', { status: 403 });
        }
    },
};

Thank you for the consideration.

[admah]

@VR-Architect thanks for writing this request up. I'm going to transfer to a Discussion to get additional feedback on it from the community. We have discussed this internally a bit, but can't commit to anything currently.

[lakano]

I love the idea, I just want to give my wish to not force it to a kind of token ( JWS aka JWT ). There is different (better?) solutions like Biscuit, Macaroon, PASETO ...