Secure an Internal API with JWT Bearer Token Verification

Problem/Feature Description

A fintech company runs several Fastify microservices that communicate via JWT bearer tokens issued by a central authorization server. Recently a security audit flagged that one of the services was insufficiently validating incoming JWTs — tokens from a decommissioned service and even expired tokens were still being accepted. The platform team needs a reusable Fastify hook that rigorously validates every incoming JWT before any handler runs.

The authorization server uses asymmetric key pairs and publishes its keys via a JWKS endpoint. Tokens include standard RFC 7519 claims: exp, iss, aud, and sub.

Output Specification

Produce a TypeScript implementation with the following files:

• hooks/verifyToken.ts — a Fastify hook function that validates JWT bearer tokens
• routes/api.ts — a sample protected route group that uses the hook

The hook should read expected values from environment variables:

• EXPECTED_ISSUER — the expected iss claim value
• EXPECTED_AUDIENCE — the expected aud claim value

The route file should include at least one protected route (e.g. GET /me) that returns a field from the validated token payload.

No need to start a server or connect to a live authorization server. Produce only the source files.