Skip to content

jwt-3.0.0

Latest
Latest
Compare
Choose a tag to compare
@anakinj anakinj released this 14 Jun 17:34
· 5 commits to main since this release
v3.0.0
b987a51
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v3.0.0 (2025-06-14)

Full Changelog

Breaking changes:

  • Require token signature to be verified before accessing payload #648 (@anakinj)
  • Drop support for the HS512256 algorithm #650 (@anakinj)
  • Remove deprecated claim verification methods #654 (@anakinj)
  • Remove dependency to rbnacl #655 (@anakinj)
  • Support only stricter base64 decoding (RFC 4648) #658 (@anakinj)
  • Custom algorithms are required to include JWT::JWA::SigningAlgorithm #660 (@anakinj)
  • Require RSA keys to be at least 2048 bits #661 (@anakinj)
  • Base64 encode and decode the k value for HMAC JWKs #662 (@anakinj)

Take a look at the upgrade guide for more details.

Features:

  • JWT::EncodedToken#verify! method that bundles signature and claim validation #647 (@anakinj)
  • Do not override the alg header if already given #659 (@anakinj)
  • Make JWK::KeyFinder compatible with JWT::EncodedToken #663 (@anakinj)

Fixes and enhancements:

Assets 2
Loading