# jose — Universal JavaScript JOSE and JWT Library > A standards-compliant JWA, JWS, JWE, JWT, and JWK library for Node.js, browsers, Deno, Bun, and edge runtimes. ## Install Save as a script file and run: # jose — Universal JavaScript JOSE and JWT Library ## Quick Use ```bash npm install jose ``` ```js import { SignJWT, jwtVerify, generateKeyPair } from 'jose'; const { privateKey, publicKey } = await generateKeyPair('RS256'); const jwt = await new SignJWT({ sub: 'user123' }) .setProtectedHeader({ alg: 'RS256' }) .setExpirationTime('2h') .sign(privateKey); const { payload } = await jwtVerify(jwt, publicKey); // payload.sub => 'user123' ``` ## Introduction jose is a comprehensive JavaScript implementation of the JSON Object Signing and Encryption standards. It covers JWA, JWS, JWE, JWT, and JWK/JWKS operations and runs on every major JavaScript runtime: Node.js, browsers, Deno, Bun, and Cloudflare Workers. It uses each runtime's native Web Crypto API, ensuring both correctness and performance without native dependencies. ## What jose Does - Signs and verifies JSON Web Tokens (JWT) with multiple algorithms - Encrypts and decrypts content using JWE (JSON Web Encryption) - Generates, imports, and exports cryptographic keys (JWK) - Fetches and caches remote JWKS (JSON Web Key Sets) for token verification - Supports RSA, ECDSA, EdDSA, and symmetric signing algorithms ## Architecture Overview jose is built on top of the Web Crypto API available in modern JavaScript runtimes. It does not bundle its own cryptographic primitives; instead, it delegates to the runtime's native implementation (SubtleCrypto in browsers and Workers, or the crypto module in Node.js). This design keeps the library small, avoids shipping C/C++ bindings, and ensures FIPS-compliant crypto where the runtime supports it. The API is fully async and tree-shakeable. ## Self-Hosting & Configuration - Install via npm: `npm install jose` - No native dependencies or build steps required - Import only what you need: `import { SignJWT, jwtVerify } from 'jose'` - For JWKS-based verification, use `createRemoteJWKSet(new URL('https://.../.well-known/jwks.json'))` - Works in all runtimes without polyfills: Node.js 16+, all modern browsers, Deno, Bun, Workers ## Key Features - Zero native dependencies; uses the runtime's Web Crypto API - Runs identically on Node.js, browsers, Deno, Bun, and Cloudflare Workers - Complete JOSE specification coverage (JWA, JWS, JWE, JWT, JWK, JWKS) - Automatic JWKS caching and rotation for remote key sets - Full TypeScript types with strict payload and header generics ## Comparison with Similar Tools - **jsonwebtoken** — Node.js-only, callback-based; jose is cross-runtime and async-first - **node-jose** — larger API surface with more complexity; jose is leaner and faster - **jwt-decode** — only decodes JWTs without verification; jose provides full sign/verify/encrypt - **Passport.js** — authentication middleware; jose handles the token layer that Passport consumes ## FAQ **Q: Can I use jose in Cloudflare Workers?** A: Yes. jose uses the Web Crypto API, which is available in all edge runtimes including Cloudflare Workers. **Q: How do I verify tokens using a JWKS endpoint?** A: Use `createRemoteJWKSet(url)` to create a key resolver, then pass it to `jwtVerify()`. The library caches and rotates keys automatically. **Q: Does jose support symmetric (HMAC) tokens?** A: Yes. Use a `Uint8Array` secret with the `HS256`, `HS384`, or `HS512` algorithms. **Q: Is jose compatible with Auth0, Firebase, or Keycloak tokens?** A: Yes. Any standard JWT issued by these providers can be verified using jose with the provider's JWKS endpoint. ## Sources - https://github.com/panva/jose - https://github.com/panva/jose/blob/main/docs/README.md --- Source: https://tokrepo.com/en/workflows/asset-7e61134d Author: Script Depot