"JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, and other Web-interoperable runtimes.
The following specifications are implemented by jose
- JSON Web Signature (JWS) - RFC7515
- JSON Web Encryption (JWE) - RFC7516
- JSON Web Key (JWK) - RFC7517
- JSON Web Algorithms (JWA) - RFC7518
- JSON Web Token (JWT) - RFC7519
- JSON Web Key Thumbprint - RFC7638
- JSON Web Key Thumbprint URI - RFC9278
- JWS Unencoded Payload Option - RFC7797
- CFRG Elliptic Curve ECDH and Signatures - RFC8037
- secp256k1 EC Key curve support - JOSE Registrations for WebAuthn Algorithms
The test suite utilizes examples defined in RFC7520 to confirm its JOSE implementation is correct.
example
ESM import
import * as jose from 'jose'
example
CJS require
const jose = require('jose')
example
Deno import
import * as jose from 'https://deno.land/x/jose/index.ts'
- JSON Web Tokens (JWT)
- Signing
- Verification & JWT Claims Set Validation
- Encrypted JSON Web Tokens
- Key Import
- JSON Web Encryption (JWE)
- JSON Web Signature (JWS)
- JSON Web Key (JWK)
- JSON Web Key Set (JWKS)
- Key Pair or Secret Generation
- Key Export
- Utilities
- Unsecured JWT
- JOSE Errors
The supported JavaScript runtimes include ones that support the utilized Web API globals and standard built-in objects or are Node.js
These are (this is not an exhaustive list):
Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ |
---|---|---|---|
v4.x | ✅ | ✅ | ✅ |
v3.x, v2.x, v1.x | ✅ | ❌ | ❌ |
- Whenever
Uint8Array
is a valid input, so isBuffer
since buffers are instances of Uint8Array. - Whenever
Uint8Array
is returned and you want aBuffer
instead, useBuffer.from(uint8array)
.
Yes the bundle size is on the larger side, that is because each module is actually published multiple times so that it can remain truly without dependencies and be universal / isomorphic.
Nevertheless, since each module can be required independently and is fully tree-shakeable, the install size should not be a cause for concern.