Esta página se muestra en inglés. Una traducción al español está en curso.
ScriptsJul 7, 2026·3 min de lectura

jose — Universal JavaScript JOSE and JWT Library

A standards-compliant JWA, JWS, JWE, JWT, and JWK library for Node.js, browsers, Deno, Bun, and edge runtimes.

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
jose Overview
Comando de instalación directa
npx -y tokrepo@latest install 7e61134d-799e-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

Introduction

jose is a comprehensive JavaScript implementation of the JSON Object Signing and Encryption standards. It covers JWA, JWS, JWE, JWT, and JWK/JWKS operations and runs on every major JavaScript runtime: Node.js, browsers, Deno, Bun, and Cloudflare Workers. It uses each runtime's native Web Crypto API, ensuring both correctness and performance without native dependencies.

What jose Does

  • Signs and verifies JSON Web Tokens (JWT) with multiple algorithms
  • Encrypts and decrypts content using JWE (JSON Web Encryption)
  • Generates, imports, and exports cryptographic keys (JWK)
  • Fetches and caches remote JWKS (JSON Web Key Sets) for token verification
  • Supports RSA, ECDSA, EdDSA, and symmetric signing algorithms

Architecture Overview

jose is built on top of the Web Crypto API available in modern JavaScript runtimes. It does not bundle its own cryptographic primitives; instead, it delegates to the runtime's native implementation (SubtleCrypto in browsers and Workers, or the crypto module in Node.js). This design keeps the library small, avoids shipping C/C++ bindings, and ensures FIPS-compliant crypto where the runtime supports it. The API is fully async and tree-shakeable.

Self-Hosting & Configuration

  • Install via npm: npm install jose
  • No native dependencies or build steps required
  • Import only what you need: import { SignJWT, jwtVerify } from 'jose'
  • For JWKS-based verification, use createRemoteJWKSet(new URL('https://.../.well-known/jwks.json'))
  • Works in all runtimes without polyfills: Node.js 16+, all modern browsers, Deno, Bun, Workers

Key Features

  • Zero native dependencies; uses the runtime's Web Crypto API
  • Runs identically on Node.js, browsers, Deno, Bun, and Cloudflare Workers
  • Complete JOSE specification coverage (JWA, JWS, JWE, JWT, JWK, JWKS)
  • Automatic JWKS caching and rotation for remote key sets
  • Full TypeScript types with strict payload and header generics

Comparison with Similar Tools

  • jsonwebtoken — Node.js-only, callback-based; jose is cross-runtime and async-first
  • node-jose — larger API surface with more complexity; jose is leaner and faster
  • jwt-decode — only decodes JWTs without verification; jose provides full sign/verify/encrypt
  • Passport.js — authentication middleware; jose handles the token layer that Passport consumes

FAQ

Q: Can I use jose in Cloudflare Workers? A: Yes. jose uses the Web Crypto API, which is available in all edge runtimes including Cloudflare Workers.

Q: How do I verify tokens using a JWKS endpoint? A: Use createRemoteJWKSet(url) to create a key resolver, then pass it to jwtVerify(). The library caches and rotates keys automatically.

Q: Does jose support symmetric (HMAC) tokens? A: Yes. Use a Uint8Array secret with the HS256, HS384, or HS512 algorithms.

Q: Is jose compatible with Auth0, Firebase, or Keycloak tokens? A: Yes. Any standard JWT issued by these providers can be verified using jose with the provider's JWKS endpoint.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados