Socket
Socket
Sign inDemoInstall

jose

Package Overview
Dependencies
0
Maintainers
1
Versions
201
Alerts
File Explorer

Advanced tools

npm Scripts
License

Install Socket

Detect and block malicious and high-risk dependencies

Install

    jose

'JSON Web Almost Everything' - JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes

Version published
Weekly downloads
8.4M
decreased by-11.83%
Maintainers
1
Created
Weekly downloads
 

Package description

What is jose?

The 'jose' npm package is a JavaScript library that provides a variety of cryptographic operations based on JSON Web Tokens (JWT), JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Key (JWK). It is designed to be compliant with the JOSE (JSON Object Signing and Encryption) suite of standards, and it supports various algorithms for encryption, decryption, signing, and verification of tokens.

What are jose's main functionalities?

JWT Signing

This code sample demonstrates how to create and sign a JWT with a specified algorithm and secret.

const { SignJWT } = require('jose');

const jwt = await new SignJWT({ 'urn:example:claim': true })
  .setProtectedHeader({ alg: 'HS256' })
  .setIssuedAt()
  .setIssuer('urn:example:issuer')
  .setAudience('urn:example:audience')
  .setExpirationTime('2h')
  .sign(new TextEncoder().encode('your-256-bit-secret'));

console.log(jwt);

JWT Verification

This code sample shows how to verify a JWT using a secret key and retrieve the payload and protected header.

const { jwtVerify } = require('jose');

const { payload, protectedHeader } = await jwtVerify(jwt, new TextEncoder().encode('your-256-bit-secret'));

console.log(payload);
console.log(protectedHeader);

JWE Encryption

This code sample illustrates how to encrypt a JWT using RSA-OAEP-256 for key management and A256GCM for content encryption.

const { EncryptJWT } = require('jose');

const jwe = await new EncryptJWT({ 'urn:example:claim': true })
  .setProtectedHeader({ alg: 'RSA-OAEP-256', enc: 'A256GCM' })
  .setIssuedAt()
  .setIssuer('urn:example:issuer')
  .setAudience('urn:example:audience')
  .setExpirationTime('2h')
  .encrypt(publicKey);

console.log(jwe);

JWE Decryption

This code sample demonstrates how to decrypt a JWE and obtain the payload and protected header using a private key.

const { jwtDecrypt } = require('jose');

const { payload, protectedHeader } = await jwtDecrypt(jwe, privateKey);

console.log(payload);
console.log(protectedHeader);

JWK Key Generation

This code sample shows how to generate a public and private key pair for the RS256 algorithm.

const { generateKeyPair } = require('jose');

const { publicKey, privateKey } = await generateKeyPair('RS256');

console.log(publicKey);
console.log(privateKey);

Other packages similar to jose

    jsonwebtoken

    The 'jsonwebtoken' package is similar to 'jose' in that it provides functionality for creating and verifying JWTs. It is widely used and has a simpler API for basic JWT operations, but it does not support JWE or more advanced JOSE features.

    node-jose

    The 'node-jose' package is another alternative that implements the JOSE suite of standards. It offers similar functionalities to 'jose' but has a different API design and may have different performance characteristics.

    jws

    The 'jws' package is focused on JSON Web Signatures (JWS). It is a simpler library that allows signing and verifying messages but does not handle JWTs, JWEs, or JWKs directly.

Changelog

Source

4.12.0 (2023-02-15)

Features

  • enable key iteration over JWKSMultipleMatchingKeys (a278acd)

Readme

Source

jose

"JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.

Implemented specs & features

The following specifications are implemented by jose

The test suite utilizes examples defined in RFC7520 to confirm its JOSE implementation is correct.

💗 Help the project

Dependencies: 0

Documentation

example ESM import

import * as jose from 'jose'

example CJS require

const jose = require('jose')

example Deno import

import * as jose from 'https://deno.land/x/jose@v4.12.0/index.ts'

Supported Runtimes

The supported JavaScript runtimes include ones that support the utilized Web API globals and standard built-in objects or are Node.js

These are (this is not an exhaustive list):

FAQ

Supported Versions
VersionSecurity Fixes 🔑Other Bug Fixes 🐞New Features ⭐
v4.x
v3.x, v2.x, v1.x
Uint8Array?!
  • Whenever Uint8Array is a valid input, so is Buffer since buffers are instances of Uint8Array.
  • Whenever Uint8Array is returned and you want a Buffer instead, use Buffer.from(uint8array).
Bundle Size, Package Size, Tree Shaking

Yes the bundle size is on the larger side, that is because each module is actually published multiple times so that it can remain truly without dependencies and be universal / isomorphic.

Nevertheless, since each module can be required independently and is fully tree-shakeable, the install size should not be a cause for concern.

Keywords

FAQs

Last updated on 15 Feb 2023

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Introducing Enhanced Alert Actions and Triage Functionality

Product

Introducing Enhanced Alert Actions and Triage Functionality

Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.

By Philipp Burckhardt, Alex Morais  -  Jun 27, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc