Built and signed on GitHub ActionsBuilt and signed on GitHub Actions
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes
Base64URL encoding and decoding utilities
Recognized Compact JWE Header Parameters, any other Header Members may also be present.
Recognized Compact JWS Header Parameters, any other Header Members may also be present.
Shared Interface with a "crit" property for all sign, verify, encrypt and decrypt operations.
!CryptoKey is a representation of a key/secret available in all supported runtimes. In addition to the Key Import Functions you may use the !SubtleCrypto.importKey API to obtain a !CryptoKey from your existing key material.
JWE Decryption options.
JWE Encryption options.
JOSE module errors and error codes
Flattened JWE JSON Serialization Syntax decryption result
Flattened JWE JSON Serialization Syntax token.
Flattened JWS JSON Serialization Syntax token. Payload is returned as an empty string when JWS Unencoded Payload (RFC7797) is used.
Flattened JWS definition for verify function inputs, allows payload as !Uint8Array for detached signature validation.
Flattened JWS JSON Serialization Syntax verification result
General JWE JSON Serialization Syntax decryption result
General JWS JSON Serialization Syntax token. Payload is returned as an empty string when JWS Unencoded Payload (RFC7797) is used.
General JWS definition for verify function inputs, allows payload as !Uint8Array for detached signature validation.
General JWS JSON Serialization Syntax verification result
Generic Interface for consuming operations dynamic key resolution.
Recognized JWE Header Parameters, any other Header members may also be present.
Recognized JWS Header Parameters, any other Header Members may also be present.
JWT Claims Set verification options.
Recognized Signed JWT Header Parameters, any other Header Members may also be present.
Generic interface for JWT producing classes.
JWS Signing options.
In prior releases this indicated whether a Node.js-specific build was loaded, this is now fixed
to "WebCryptoAPI"
base64url
Base64URL encoding and decoding utilities
Decodes a Base64URL encoded input.
Encodes an input using Base64URL with no padding.
Decodes a Base64URL encoded input.
Encodes an input using Base64URL with no padding.
decode/protected_header
JOSE Protected Header Decoding (JWE, JWS, all serialization syntaxes)
Decodes the Protected Header of a JWE/JWS/JWT token utilizing any JOSE serialization.
JWE and JWS Header Parameters
errors
JOSE module errors and error codes
An error subclass thrown when a JOSE Algorithm is not allowed per developer preference.
An error subclass thrown when a particular feature or algorithm is not supported by this implementation or JOSE in general.
An error subclass thrown when JWS signature verification fails.
An error subclass thrown when a JWT Claim Set member validation fails.
An error subclass thrown when a JOSE Algorithm is not allowed per developer preference.
An error subclass thrown when a particular feature or algorithm is not supported by this implementation or JOSE in general.
An error subclass thrown when a JWT Claim Set member validation fails.
jwe/compact/decrypt
Decrypting JSON Web Encryption (JWE) in Compact Serialization
Decrypts a Compact JWE.
Interface for Compact JWE Decryption dynamic key resolution. No token components have been verified at the time of this function call.
jwe/compact/encrypt
Encrypting JSON Web Encryption (JWE) in Compact Serialization
The CompactEncrypt class is used to build and encrypt Compact JWE strings.
jwe/flattened/decrypt
Decrypting JSON Web Encryption (JWE) in Flattened JSON Serialization
Decrypts a Flattened JWE.
Interface for Flattened JWE Decryption dynamic key resolution. No token components have been verified at the time of this function call.
jwe/flattened/encrypt
Encrypting JSON Web Encryption (JWE) in Flattened JSON Serialization
The FlattenedEncrypt class is used to build and encrypt Flattened JWE objects.
jwe/general/decrypt
Decrypting JSON Web Encryption (JWE) in General JSON Serialization
Decrypts a General JWE.
Interface for General JWE Decryption dynamic key resolution. No token components have been verified at the time of this function call.
jwe/general/encrypt
Encrypting JSON Web Encryption (JWE) in General JSON Serialization
The GeneralEncrypt class is used to build and encrypt General JWE objects.
Used to build General JWE object's individual recipients.
jwk/embedded
Verification using a JWK Embedded in a JWS Header
EmbeddedJWK is an implementation of a GetKeyFunction intended to be used with the JWS/JWT verify
operations whenever you need to opt-in to verify signatures with a public key embedded in the
token's "jwk" (JSON Web Key) Header Parameter. It is recommended to combine this with the verify
function's algorithms option to define accepted JWS "alg" (Algorithm) Header Parameter values.
jwk/thumbprint
JSON Web Key Thumbprint and JSON Web Key Thumbprint URI
Calculates a base64url-encoded JSON Web Key (JWK) Thumbprint
Calculates a JSON Web Key (JWK) Thumbprint URI
jwks/local
Verification using a JSON Web Key Set (JWKS) available locally
Returns a function that resolves a JWS JOSE Header to a public key object from a locally stored, or otherwise available, JSON Web Key Set.
jwks/remote
Verification using a JSON Web Key Set (JWKS) available on an HTTP(S) URL
Returns a function that resolves a JWS JOSE Header to a public key object downloaded from a
remote endpoint returning a JSON Web Key Set, that is, for example, an OAuth 2.0 or OIDC
jwks_uri. The JSON Web Key Set is fetched when no key matches the selection process but only as
frequently as the cooldownDuration option allows to prevent abuse.
When passed to createRemoteJWKSet this allows the resolver to make use of advanced fetch configurations, HTTP Proxies, retry on network errors, etc.
See customFetch.
DANGER ZONE - This option has security implications that must be understood, assessed for applicability, and accepted before use. It is critical that the JSON Web Key Set cache only be writable by your own code.
See jwksCache.
Options for the remote JSON Web Key Set.
jws/compact/sign
Signing JSON Web Signature (JWS) in Compact Serialization
The CompactSign class is used to build and sign Compact JWS strings.
jws/compact/verify
Verifying JSON Web Signature (JWS) in Compact Serialization
Verifies the signature and format of and afterwards decodes the Compact JWS.
Interface for Compact JWS Verification dynamic key resolution. No token components have been verified at the time of this function call.
jws/flattened/sign
Signing JSON Web Signature (JWS) in Flattened JSON Serialization
The FlattenedSign class is used to build and sign Flattened JWS objects.
jws/flattened/verify
Verifying JSON Web Signature (JWS) in Flattened JSON Serialization
Verifies the signature and format of and afterwards decodes the Flattened JWS.
Interface for Flattened JWS Verification dynamic key resolution. No token components have been verified at the time of this function call.
jws/general/sign
Signing JSON Web Signature (JWS) in General JSON Serialization
Used to build General JWS object's individual signatures.
jws/general/verify
Verifying JSON Web Signature (JWS) in General JSON Serialization
Verifies the signature and format of and afterwards decodes the General JWS.
Interface for General JWS Verification dynamic key resolution. No token components have been verified at the time of this function call.
jwt/decode
JSON Web Token (JWT) Claims Set Decoding (no validation, no signature checking)
Decodes a signed JSON Web Token payload. This does not validate the JWT Claims Set types or
values. This does not validate the JWS Signature. For a proper Signed JWT Claims Set validation
and JWS signature verification use jose.jwtVerify(). For an encrypted JWT Claims Set validation
and JWE decryption use jose.jwtDecrypt().
jwt/decrypt
JSON Web Token (JWT) Decryption (JWT is in JWE format)
Verifies the JWT format (to be a JWE Compact format), decrypts the ciphertext, validates the JWT Claims Set.
Interface for JWT Decryption dynamic key resolution. No token components have been verified at the time of this function call.
Combination of JWE Decryption options and JWT Claims Set verification options.
jwt/encrypt
JSON Web Token (JWT) Encryption (JWT is in JWE format)
The EncryptJWT class is used to build and encrypt Compact JWE formatted JSON Web Tokens.
jwt/sign
JSON Web Token (JWT) Signing (JWT is in JWS format)
The SignJWT class is used to build and sign Compact JWS formatted JSON Web Tokens.
jwt/unsecured
Unsecured (unsigned & unencrypted) JSON Web Tokens (JWT)
The UnsecuredJWT class is a utility for dealing with { "alg": "none" } Unsecured JWTs.
jwt/verify
JSON Web Token (JWT) Verification (JWT is in JWS format)
Verifies the JWT format (to be a JWS Compact format), verifies the JWS signature, validates the JWT Claims Set.
Interface for JWT Verification dynamic key resolution. No token components have been verified at the time of this function call.
Combination of JWS Verification options and JWT Claims Set verification options.
key/export
Cryptographic key export functions
Exports a !CryptoKey, !KeyObject, or !Uint8Array to a JWK.
Exports a private !CryptoKey or !KeyObject to a PEM-encoded PKCS8 string format.
Exports a public !CryptoKey or !KeyObject to a PEM-encoded SPKI string format.
key/generate/keypair
Asymmetric key generation
Generates a private and a public key for a given JWA algorithm identifier. This can only generate
asymmetric key pairs. For symmetric secrets use the generateSecret function.
key/generate/secret
Symmetric key generation
Generates a symmetric secret key for a given JWA algorithm identifier.
key/import
Cryptographic key import functions
Imports a JWK to a !CryptoKey. Either the JWK "alg" (Algorithm) Parameter, or the optional "alg" argument, must be present for asymmetric JSON Web Key imports.
Imports a PEM-encoded PKCS#8 string as a !CryptoKey.
Imports a PEM-encoded SPKI string as a !CryptoKey.
Imports the SPKI from an X.509 string certificate as a !CryptoKey.