jpadilla/pyjwt

Recent updates

• 2.13.0

  1 week ago

  PyJWT 2.13.0 is a security-focused release with multiple hardening changes, including algorithm-confusion protections, stricter handling of detached payloads when b64=false, and safer PyJWKClient behavior. It also fixes option plumbing so per-call decode options (notably enforce_minimum_key_length) reach the JWS verification layer. Finally, the project migrates dev/docs/tests packaging extras to dependency groups.

  BreakingSecurity

• 2.12.1

  2 months ago

  PyJWT 2.12.1 is a small patch release focused on packaging, adding a missing typing_extensions dependency for Python versions below 3.11. The code diff also updates CI workflow coverage and bumps the package version, with no API surface changes visible in the patch.

• 2.12.0

  2 months ago

  PyJWT 2.12.0 is a security and maintenance release focused on RFC 7515 crit header enforcement, JWK handling cleanup, and a fix for JWT encoding when a PyJWK is supplied without an explicit algorithm. The diff also adds or expands PyJWKClient caching behavior, tightens decode-time header validation, and refreshes CI and pre-commit tooling.

  BreakingSecurity

• 2.11.0

  4 months ago

  PyJWT 2.11.0 is a hardening and maintenance release focused on stricter key and claim validation, improved typing, and expanded Python 3.14/PyPy support. It also refreshes the build, docs, and CI toolchain, while adding iterable JWK set support and several decoding and algorithm fixes.

  SecurityFeatures

• 2.10.1

  11/28/2024

  PyJWT 2.10.1 is a focused security patch that tightens validation of the `iss` claim. String issuers now require an exact match, preventing the partial-matching bug that could let incorrectly issued tokens pass validation.

  Security

• 2.10.0

  11/17/2024

  PyJWT 2.10.0 is a maintenance and feature release that adds Python 3.13 support, drops Python 3.8, tightens claim validation, and expands JWT and JWK handling. It also migrates project configuration to pyproject.toml and refreshes CI, docs, and linting infrastructure.

  BreakingFeatures

• 2.9.0

  8/1/2024

  PyJWT 2.9.0 expands JWK interoperability, adding Python 3.12 support, allowing issuer validation against multiple acceptable values, and letting `jwt.decode()` and `decode_complete()` work directly with `PyJWK` objects. The code also tightens key parsing and cryptography error handling, which changes how invalid PEM keys and missing `cryptography` are surfaced to callers.

  Features

• 2.8.0

  7/18/2023

  PyJWT 2.8.0 adds stricter audience validation via the new strict_aud decode option and publicly exports PyJWKClientConnectionError. The code diff also extends PyJWKClient with optional SSLContext support, updates the supported Python test matrix, and refreshes pre-commit tooling.

  Features

• 2.7.0

  5/9/2023

  PyJWT 2.7.0 broadens support and adds several new extension points, especially around JWK handling, OIDC at_hash validation, and JWT header encoding. It also tightens typing and improves error handling for cryptography-related and JWKS parsing scenarios, while updating the project tooling and release automation.

  Features

• 2.6.0

  10/24/2022

  PyJWT 2.6.0 is a small release focused on stricter JWT claim validation and dependency maintenance. It tightens expiration handling, adds future-issued-at rejection, and raises the minimum `cryptography` version while refreshing repository tooling.

• 2.5.0

  9/17/2022

  PyJWT 2.5.0 focuses on expanding the public API (new algorithm/JWK helpers) and improving JWK set behavior via caching and more accurate error handling. It also drops Python 3.6 support and starts emitting deprecation warnings for unsupported kwargs, so some upgrades will require environment and usage adjustments.

  BreakingFeatures