jose
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
MIT License
Bot releases are visible (Hide)
Fixes
- typescript: apply updated compact and jwt headers to compact/jwt verify and decrypt results (0c1946c)
Features
- add GeneralSign signature and GeneralEncrypt recipient builder chaining (cfc93f5)
Fixes
- node: dont mention CryptoKey in versions without webcrypto (401cabf)
Features
- General JWE Encryption (94eca81)
example Usage
import * as jose from "jose";
const firstRecipientKeyPair = await jose.generateKeyPair("RSA-OAEP-256");
const secondRecipientKeyPair = await jose.generateKeyPair("ECDH-ES+A256KW");
const thirdRecipientSecret = await jose.generateSecret("A256GCMKW");
const encoder = new TextEncoder();
const plaintext = encoder.encode(
"It’s a dangerous business, Frodo, going out your door."
);
const additionalAuthenticatedData = encoder.encode(
"The Fellowship of the Ring"
);
const enc = new jose.GeneralEncrypt(plaintext)
.setAdditionalAuthenticatedData(additionalAuthenticatedData)
.setProtectedHeader({ enc: "A256GCM" });
enc
.addRecipient(firstRecipientKeyPair.publicKey)
.setUnprotectedHeader({ alg: "RSA-OAEP-256" });
enc
.addRecipient(secondRecipientKeyPair.publicKey)
.setUnprotectedHeader({ alg: "ECDH-ES+A256KW" });
enc
.addRecipient(thirdRecipientSecret)
.setUnprotectedHeader({ alg: "A256GCMKW" });
const jwe = await enc.encrypt();
console.log(JSON.stringify(jwe, null, 4));
for (const recipientKey of [
firstRecipientKeyPair.privateKey,
secondRecipientKeyPair.privateKey,
thirdRecipientSecret,
]) {
await jose.generalDecrypt(jwe, recipientKey);
}
Fixes
- allow shorter HMAC secrets (57126f1)
Fixes
- edge-functions: don't use globalThis (3952030)
Bug Fixes
- build: ensure cjs/esm specific packages have the right main entry (2f4526a)
Features
- web: publish umd and bundle files to cdnjs.com (3b3100a)
Bug Fixes
- web: check Uint8Array CEK lengths, refactor for better tree-shaking (e8299f2)
Bug Fixes
- web: checking cryptokey applicability early (89dc2aa)
Bug Fixes
- typescript: re-export all types from index.d.ts (d68f104)
⚠ BREAKING CHANGES
- All module named exports have moved from subpaths to just "jose". For example,
import { jwtVerify } from 'jose/jwt/verify'is now justimport { jwtVerify } from 'jose'. - All submodule default exports and named have been removed in favour of just "jose" named exports.
- typescript: remove repeated type re-exports
- The undocumented
jose/util/randomwas removed. - The
jose/jwk/thumbprintnamed export is renamed tocalculateJwkThumbprint, nowimport { calculateJwkThumbprint } from 'jose' - The deprecated
jose/jwk/parsemodule was removed, useimport { importJWK } from 'jose'instead. - The deprecated
jose/jwk/from_key_likemodule was removed, useimport { exportJWK } from 'jose'instead.
Migration Guide
Migrating from v3.x to v4.x is very straight forward.
- All
importstatements,require(), orimport()invocations should be changed to use just'jose'as the target. - There are no more default exports. Everything was converted to a named export.
- Refer to the documentation if you're not sure how a given module should be imported / required.
- any custom resolvers targeting
josedist files for jest, typescript, or other tooling should be removed
// before (v3.x)
import { jwtVerify } from 'jose/jwt/verify'
import { SignJWT } from 'jose/jwt/sign'
import * as errors from 'jose/util/errors'
// after (v4.x)
import { jwtVerify, SignJWT, errors } from 'jose'
Bug Fixes
- allow tree-shaking of errors (0824301)
Bug Fixes
- typescript: PEM import functions always resolve a KeyLike, never a Uint8Array (8ef3a8e)
Package Rankings
Top 0.63% on Npmjs.org
Top 8.17% on Proxy.golang.org
Top 19.68% on Repo1.maven.org
Top 0.67% on Deno.land