Cette page est affichée en anglais. Une traduction française est en cours.
ScriptsJul 7, 2026·3 min de lecture

jose — Universal JavaScript JOSE and JWT Library

A standards-compliant JWA, JWS, JWE, JWT, and JWK library for Node.js, browsers, Deno, Bun, and edge runtimes.

Prêt pour agents

Installation agent prête

Cet actif peut être installé après choix du runtime, vérification du plan et exécution de la commande adaptée.

Native · 98/100Policy : autoriser
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
jose Overview
Commande d'installation directe
npx -y tokrepo@latest install 7e61134d-799e-11f1-9bc6-00163e2b0d79 --target codex

À exécuter après confirmation du plan en dry-run.

Introduction

jose is a comprehensive JavaScript implementation of the JSON Object Signing and Encryption standards. It covers JWA, JWS, JWE, JWT, and JWK/JWKS operations and runs on every major JavaScript runtime: Node.js, browsers, Deno, Bun, and Cloudflare Workers. It uses each runtime's native Web Crypto API, ensuring both correctness and performance without native dependencies.

What jose Does

  • Signs and verifies JSON Web Tokens (JWT) with multiple algorithms
  • Encrypts and decrypts content using JWE (JSON Web Encryption)
  • Generates, imports, and exports cryptographic keys (JWK)
  • Fetches and caches remote JWKS (JSON Web Key Sets) for token verification
  • Supports RSA, ECDSA, EdDSA, and symmetric signing algorithms

Architecture Overview

jose is built on top of the Web Crypto API available in modern JavaScript runtimes. It does not bundle its own cryptographic primitives; instead, it delegates to the runtime's native implementation (SubtleCrypto in browsers and Workers, or the crypto module in Node.js). This design keeps the library small, avoids shipping C/C++ bindings, and ensures FIPS-compliant crypto where the runtime supports it. The API is fully async and tree-shakeable.

Self-Hosting & Configuration

  • Install via npm: npm install jose
  • No native dependencies or build steps required
  • Import only what you need: import { SignJWT, jwtVerify } from 'jose'
  • For JWKS-based verification, use createRemoteJWKSet(new URL('https://.../.well-known/jwks.json'))
  • Works in all runtimes without polyfills: Node.js 16+, all modern browsers, Deno, Bun, Workers

Key Features

  • Zero native dependencies; uses the runtime's Web Crypto API
  • Runs identically on Node.js, browsers, Deno, Bun, and Cloudflare Workers
  • Complete JOSE specification coverage (JWA, JWS, JWE, JWT, JWK, JWKS)
  • Automatic JWKS caching and rotation for remote key sets
  • Full TypeScript types with strict payload and header generics

Comparison with Similar Tools

  • jsonwebtoken — Node.js-only, callback-based; jose is cross-runtime and async-first
  • node-jose — larger API surface with more complexity; jose is leaner and faster
  • jwt-decode — only decodes JWTs without verification; jose provides full sign/verify/encrypt
  • Passport.js — authentication middleware; jose handles the token layer that Passport consumes

FAQ

Q: Can I use jose in Cloudflare Workers? A: Yes. jose uses the Web Crypto API, which is available in all edge runtimes including Cloudflare Workers.

Q: How do I verify tokens using a JWKS endpoint? A: Use createRemoteJWKSet(url) to create a key resolver, then pass it to jwtVerify(). The library caches and rotates keys automatically.

Q: Does jose support symmetric (HMAC) tokens? A: Yes. Use a Uint8Array secret with the HS256, HS384, or HS512 algorithms.

Q: Is jose compatible with Auth0, Firebase, or Keycloak tokens? A: Yes. Any standard JWT issued by these providers can be verified using jose with the provider's JWKS endpoint.

Sources

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires