JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
MIT License
Bot releases are hidden (Show)
Electron v6.x runtime is supported to the extent of the crypto engine BoringSSL feature parity with standard Node.js OpenSSL. The following is disabled in Electron runtime because of its lack of support.
A128KW
, A192KW
and A256KW
algs are not available, this also means that other JWAs depending on those are not working, those are ECDH-ES+A128KW
, ECDH-ES+A192KW
, ECDH-ES+A256KW
, PBES2-HS256+A128KW
, PBES2-HS384+A192KW
, PBES2-HS512+A256KW
)Ed448
, X25519
and X448
are not supportedsecp256k1
is not supportedIt is now possible to pass a profile to JWT.verify
and have the JWT validated according to it. This makes sure you pass all the right options and that required claims are present, prohibited claims are missing and that the right JWT typ is used.
More profiles will be added in the future.
JWK.importKey
in favor of JWK.asKey
JWKS.KeyStore.fromJWKS
in favor of JWKS.asKeyStore
Both JWK.importKey
and JWKS.KeyStore.fromJWKS
could have resulted in the process getting blocked when large bitsize RSA private keys were missing their components and could also result in an endless calculation loop when the private key's private exponent was outright invalid or tampered with.
The new methods still allow to import private RSA keys with these optimization key parameters missing but its disabled by default and one should choose to enable it when working with keys from trusted sources
It is recommended not to use @panva/jose versions with this feature in its original on-by-default form - v1.1.0 and v1.2.0
operation
option was removed, key_ops: string[]
supersedes it