"JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
The following specifications are implemented by jose
- JSON Web Signature (JWS) - RFC7515
- JSON Web Encryption (JWE) - RFC7516
- JSON Web Key (JWK) - RFC7517
- JSON Web Algorithms (JWA) - RFC7518
- JSON Web Token (JWT) - RFC7519
- JSON Web Key Thumbprint - RFC7638
- JSON Web Key Thumbprint URI - RFC9278
- JWS Unencoded Payload Option - RFC7797
- CFRG Elliptic Curve ECDH and Signatures - RFC8037
- secp256k1 EC Key curve support - JOSE Registrations for WebAuthn Algorithms
The test suite utilizes examples defined in RFC7520 to confirm its JOSE implementation is correct.
example ESM import
import * as jose from 'jose'example CJS require
const jose = require('jose')example Deno import
import * as jose from 'https://deno.land/x/jose@v4.13.1/index.ts'- JSON Web Tokens (JWT)
- Signing
- Verification & JWT Claims Set Validation
- Encrypted JSON Web Tokens
- Key Import
- JSON Web Encryption (JWE)
- JSON Web Signature (JWS)
- JSON Web Key (JWK)
- JSON Web Key Set (JWKS)
- Key Pair or Secret Generation
- Key Export
- Utilities
- Unsecured JWT
- JOSE Errors
The supported JavaScript runtimes include ones that support the utilized Web API globals and standard built-in objects or are Node.js
These are (this is not an exhaustive list):
| Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ |
|---|---|---|---|
| v4.x | ✅ | ✅ | ✅ |
| v3.x, v2.x, v1.x | ✅ | ❌ | ❌ |
- Whenever
Uint8Arrayis a valid input, so isBuffersince buffers are instances of Uint8Array. - Whenever
Uint8Arrayis returned and you want aBufferinstead, useBuffer.from(uint8array).
Yes the bundle size is on the larger side, that is because each module is actually published multiple times so that it can remain truly without dependencies and be universal / isomorphic.
Nevertheless, since each module can be required independently and is fully tree-shakeable, the install size should not be a cause for concern.