Scripts2026年7月7日·1 分钟阅读

jose — Universal JavaScript JOSE and JWT Library

A standards-compliant JWA, JWS, JWE, JWT, and JWK library for Node.js, browsers, Deno, Bun, and edge runtimes.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
jose Overview
直接安装命令
npx -y tokrepo@latest install 7e61134d-799e-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

jose is a comprehensive JavaScript implementation of the JSON Object Signing and Encryption standards. It covers JWA, JWS, JWE, JWT, and JWK/JWKS operations and runs on every major JavaScript runtime: Node.js, browsers, Deno, Bun, and Cloudflare Workers. It uses each runtime's native Web Crypto API, ensuring both correctness and performance without native dependencies.

What jose Does

  • Signs and verifies JSON Web Tokens (JWT) with multiple algorithms
  • Encrypts and decrypts content using JWE (JSON Web Encryption)
  • Generates, imports, and exports cryptographic keys (JWK)
  • Fetches and caches remote JWKS (JSON Web Key Sets) for token verification
  • Supports RSA, ECDSA, EdDSA, and symmetric signing algorithms

Architecture Overview

jose is built on top of the Web Crypto API available in modern JavaScript runtimes. It does not bundle its own cryptographic primitives; instead, it delegates to the runtime's native implementation (SubtleCrypto in browsers and Workers, or the crypto module in Node.js). This design keeps the library small, avoids shipping C/C++ bindings, and ensures FIPS-compliant crypto where the runtime supports it. The API is fully async and tree-shakeable.

Self-Hosting & Configuration

  • Install via npm: npm install jose
  • No native dependencies or build steps required
  • Import only what you need: import { SignJWT, jwtVerify } from 'jose'
  • For JWKS-based verification, use createRemoteJWKSet(new URL('https://.../.well-known/jwks.json'))
  • Works in all runtimes without polyfills: Node.js 16+, all modern browsers, Deno, Bun, Workers

Key Features

  • Zero native dependencies; uses the runtime's Web Crypto API
  • Runs identically on Node.js, browsers, Deno, Bun, and Cloudflare Workers
  • Complete JOSE specification coverage (JWA, JWS, JWE, JWT, JWK, JWKS)
  • Automatic JWKS caching and rotation for remote key sets
  • Full TypeScript types with strict payload and header generics

Comparison with Similar Tools

  • jsonwebtoken — Node.js-only, callback-based; jose is cross-runtime and async-first
  • node-jose — larger API surface with more complexity; jose is leaner and faster
  • jwt-decode — only decodes JWTs without verification; jose provides full sign/verify/encrypt
  • Passport.js — authentication middleware; jose handles the token layer that Passport consumes

FAQ

Q: Can I use jose in Cloudflare Workers? A: Yes. jose uses the Web Crypto API, which is available in all edge runtimes including Cloudflare Workers.

Q: How do I verify tokens using a JWKS endpoint? A: Use createRemoteJWKSet(url) to create a key resolver, then pass it to jwtVerify(). The library caches and rotates keys automatically.

Q: Does jose support symmetric (HMAC) tokens? A: Yes. Use a Uint8Array secret with the HS256, HS384, or HS512 algorithms.

Q: Is jose compatible with Auth0, Firebase, or Keycloak tokens? A: Yes. Any standard JWT issued by these providers can be verified using jose with the provider's JWKS endpoint.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产