I quickly looked at the readme, try passing new Buffer('extension_SecReT=', 'base64') as secret. It doesn’t say anywhere on the sign doc, but on the verify doc https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback