Introduction
jose is a comprehensive JavaScript implementation of the JSON Object Signing and Encryption standards. It covers JWA, JWS, JWE, JWT, and JWK/JWKS operations and runs on every major JavaScript runtime: Node.js, browsers, Deno, Bun, and Cloudflare Workers. It uses each runtime's native Web Crypto API, ensuring both correctness and performance without native dependencies.
What jose Does
- Signs and verifies JSON Web Tokens (JWT) with multiple algorithms
- Encrypts and decrypts content using JWE (JSON Web Encryption)
- Generates, imports, and exports cryptographic keys (JWK)
- Fetches and caches remote JWKS (JSON Web Key Sets) for token verification
- Supports RSA, ECDSA, EdDSA, and symmetric signing algorithms
Architecture Overview
jose is built on top of the Web Crypto API available in modern JavaScript runtimes. It does not bundle its own cryptographic primitives; instead, it delegates to the runtime's native implementation (SubtleCrypto in browsers and Workers, or the crypto module in Node.js). This design keeps the library small, avoids shipping C/C++ bindings, and ensures FIPS-compliant crypto where the runtime supports it. The API is fully async and tree-shakeable.
Self-Hosting & Configuration
- Install via npm:
npm install jose - No native dependencies or build steps required
- Import only what you need:
import { SignJWT, jwtVerify } from 'jose' - For JWKS-based verification, use
createRemoteJWKSet(new URL('https://.../.well-known/jwks.json')) - Works in all runtimes without polyfills: Node.js 16+, all modern browsers, Deno, Bun, Workers
Key Features
- Zero native dependencies; uses the runtime's Web Crypto API
- Runs identically on Node.js, browsers, Deno, Bun, and Cloudflare Workers
- Complete JOSE specification coverage (JWA, JWS, JWE, JWT, JWK, JWKS)
- Automatic JWKS caching and rotation for remote key sets
- Full TypeScript types with strict payload and header generics
Comparison with Similar Tools
- jsonwebtoken — Node.js-only, callback-based; jose is cross-runtime and async-first
- node-jose — larger API surface with more complexity; jose is leaner and faster
- jwt-decode — only decodes JWTs without verification; jose provides full sign/verify/encrypt
- Passport.js — authentication middleware; jose handles the token layer that Passport consumes
FAQ
Q: Can I use jose in Cloudflare Workers? A: Yes. jose uses the Web Crypto API, which is available in all edge runtimes including Cloudflare Workers.
Q: How do I verify tokens using a JWKS endpoint?
A: Use createRemoteJWKSet(url) to create a key resolver, then pass it to jwtVerify(). The library caches and rotates keys automatically.
Q: Does jose support symmetric (HMAC) tokens?
A: Yes. Use a Uint8Array secret with the HS256, HS384, or HS512 algorithms.
Q: Is jose compatible with Auth0, Firebase, or Keycloak tokens? A: Yes. Any standard JWT issued by these providers can be verified using jose with the provider's JWKS endpoint.