I’m trying to figure out how to use the jose package to decrypt and verify a JWT using JWE. I’ve tried to pass the encrypted JWT to the verify method like: await jose.jwtVerify(encryptedJWT, keys); but that returns JWSInvalid: Invalid Compact JWS. I then tried to decrypt the JWT, but then I can’t find the method/methods to use to verify just the header portion of the decrypted JWT. All of the verify methods seem to expect a non encrypted full JWT to function. Code is as follows:

const jose = require('jose')

let issuerPrivateJwk = 
{
"kty": "RSA",
"kid": "b6ec6560-95a9-45ff-9789-76d84c5634a0",
"d": "JYUmrK-yeetfBCW1rehEC5jPF1GFejx38uYSJKyDfT2lV2nA6Y8y0NWQMJqpPoHqBJvzEl9QFjZjZektjVC1VqnwPcksan0QhDjzqHxXFd1oJz9JWbbr5vr_WU69_cUufcQfOyYi4zI2FPrY3vhZNKz0b_-bK6vSsAF4svs_5p4kzhcXrvO3Udd-fN578QqfdGoPA6XVoh-xTsru87yMG6lW8VyS-cEolhLUqYcma1hT9xFcCf7PWOyLRrTaOCDCpUNWTIhD2eJBkdCmCt-OhSt_-aZKmpyubR_oRI31v7N9-FAbk4JEc3cDAAimdF5g7cv6VjjMuabpMgEvfFJ7ww",
"n": "z5XvP1zFb2TDOodvoFiQMIPNY2_0UxLhuCRUeWKFGbW7y4z9fS__IuDkAXzsJ0WL73zwwo5HaoBXv96InhKfJ95ZRYBCH8eHb2gymifHFFuiLTiPQ2FGuMbgfHEDb78VnwrF98uoVDjz2P1T5yxL9xl4wPL7kJeXZW_5WnnM4sG4v5PVmY8DzrOhEeO1S0yD_SdMz-qdT6W68NChmS0_Xt7YGpFMsVKxr59h1L-GeXyMIsBtoRP9sulreEdr8tI0A1TBoVZfkxkE_k3910XZEfvhqH8VmAEM1imqwitR7kQvtWBDN2293IIwVNZ_USIc_SYbSSgjMdXT1qxW6MJC5Q",
"e": "AQAB",
"p": "7RCNTtOyGhgLVHMyypq-kjzzGk2wfI_QBsCUJv7-nhnwaxYKVXma026k4JwiEeg7NGNxAOO0VZ-_RBo7xDv4GX7kU0vIPnAhiUK7aRzaDgz8FMVW9OMe0pY4TgDPYZKXpM59Mk3Jk5LODEaRCLoY_D4UK-6brSd7rtKUakUrpo8",
"q": "4CqaTPB468w61Fq5J6UDMrQfa1e7LOgiInvDdaZI3qnLMlwIOmPg7D4HxOlkHDKfo2EZLWj-l23LkP0SUuvw9nU5md-hVXc_5NmTVygFpfChPxyz36LdQYxBxUJJ9loRzMn9mL_vLgsVvVA0fNMThEOP11bDgcbNW_cbgxlDmUs",
"dp": "NfkjwwOttAUvZy3HLZunsdHQo3d2rBVuDmuAD5TU0ZgkRa1B8w35sxOo1D6X_y25dQcC7mnpX-k7-bxjSR1CMkPSpihF0fljmUWpN5hLCRHpvqzjTGP9W4K6FQBYNuXSQsKEfJR7RW8SHHdgg_UixSM5Intz1Ct-HGJzSfKvqn8",
"dq": "haeBFmyufFDppqFtEgEl9f5FWXgWhsDlUVAfiy8Y9YGhQKZ01XOlsNWPRk2tvc5FNmF3ZIbcfScen5T0bvJ0Wk4siN04UT_nnahIXEfljjn5uip_6NAvQZzBvj424SZ0xHiOtpuBnR9I1_ZRRTeIxGyP_-Ggcek5miKsia7vih8",
"qi": "5fxPMrV8lnudv9vqMBvEc5QsK6BhJseURdcA7lB4FQZpH9boxstL0Ij2azKoiu8ZC12bVYAOf9qJx8w6135SYwFYVEFuAIAS_1kvMgEb8dns_ZMp1mMNqVZACF6HjBIgssGGzSGNf3HDQUHeSzrDfUcDKicOMD9_8Z3caqATgE8"
}

let issuerPublicJwk = 
{
"kty": "RSA",
"kid": "b6ec6560-95a9-45ff-9789-76d84c5634a0",
"n": "z5XvP1zFb2TDOodvoFiQMIPNY2_0UxLhuCRUeWKFGbW7y4z9fS__IuDkAXzsJ0WL73zwwo5HaoBXv96InhKfJ95ZRYBCH8eHb2gymifHFFuiLTiPQ2FGuMbgfHEDb78VnwrF98uoVDjz2P1T5yxL9xl4wPL7kJeXZW_5WnnM4sG4v5PVmY8DzrOhEeO1S0yD_SdMz-qdT6W68NChmS0_Xt7YGpFMsVKxr59h1L-GeXyMIsBtoRP9sulreEdr8tI0A1TBoVZfkxkE_k3910XZEfvhqH8VmAEM1imqwitR7kQvtWBDN2293IIwVNZ_USIc_SYbSSgjMdXT1qxW6MJC5Q",
"e": "AQAB"
};

const keys = jose.createLocalJWKSet({keys: [issuerPublicJwk]})
const payload = {"user_id":"579077ee-f073-4bba-9e57-f1462e78cc17"}

// Encrypt the JWT with the private JWK
const secret = await jose.importJWK(issuerPrivateJwk, 'ES256')
const encryptedJWT = await new jose.EncryptJWT(payload)
  .setProtectedHeader({ alg: 'RSA-OAEP-256', enc: 'A256GCM' })
  .setExpirationTime('2h')
  .encrypt(secret);
// Now decrypt it 
const { plaintext: decryptedPayload, protectedHeader } = await jose.compactDecrypt(encryptedJWT, secret)
// but how to verify the JWT now ?