`jose` is a JavaScript module for working with JOSE standards, including JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Keys (JWK, JWKS). It provides tools to sign, verify, encrypt, decrypt, import/export keys, and validate JWT claims across multiple Web-interoperable runtimes such as Node.js, browsers, Cloudflare Workers, Deno, and Bun.
Project status
- The repository appears actively maintained, with a recent upstream push on 2026-06-03 and multiple 6.2.x updates in 2026.
- The apparent update cadence is fairly steady, with updates landing roughly every 1 to 6 weeks (v6.2.1 on 2026-03-09, v6.2.2 on 2026-03-18, v6.2.3 on 2026-04-27).
AI summary generated Today
Recent updates
v6.2.3
1 month agov6.2.3 primarily tightens PBES2 parameter validation. The release adds an explicit check that PBES2 count (p2c) must be a positive safe integer, and fails with a JWEInvalid error when it is not.
Breakingv6.2.2
2 months agov6.2.2 includes a small fix intended to ensure failed JWE deflate decompression is rejected as a JWEInvalid error. The code changes also adjust deflate stream error handling and add more defensive error wrapping around both decompression and compression.
v6.2.1
3 months agov6.2.1 is described as an internal refactor to reduce file count and footprint. The diff shows significant consolidation of JWE content encryption, JWE key management, signing utilities, and type-check helpers into new modules.
Breakingv6.2.0
3 months agov6.2.0 re-introduces support for the JWE "zip" (Compression Algorithm) header parameter, implemented via runtime Web CompressionStream/DecompressionStream. It also updates documentation to clarify what general JWS and general JWE decryption and verification return values represent. The code changes include additional constraints and a new decompression size limit option that are not mentioned in the release notes.
Featuresv6.1.3
6 months agov6.1.3 is primarily a refactor intended to avoid `export * as ...` in the published entrypoints, to satisfy Google Closure compiler constraints. The diff also includes a small change to the text of a thrown `TypeError` when an incorrect JWK type is provided, plus a set of dev dependency version bumps.
v6.1.2
6 months agoRelease v6.1.2 primarily refines how the library detects CryptoKey instances. It adds a fallback to checking instanceof CryptoKey in addition to the existing Symbol.toStringTag check, and updates the packaged version strings to v6.1.2 across targets.
v6.1.1
7 months agov6.1.1 focuses on documentation and internal refactors aimed at reducing JOSE JWE/JWT overhead in the Deno build. The release notes mention removing named exports in source code and some key management API exposure, but the code diff shows broader module export shape changes and some behavior-relevant utility changes.
Featuresv6.1.0
9 months agov6.1.0 documents support for AKP JWK thumbprints and adds ML-DSA PQC algorithm identifiers. The actual code diff shows substantially broader AKP and ML-DSA support throughout key handling and signature key checks, not just thumbprint utilities.
Featuresv6.0.13
9 months agov6.0.13 is labeled as a refactor release, with notes mentioning readability improvements in ecdhes.ts and helper updates in asn1.ts. However, the actual diff includes substantive internal changes to ECDH-ES Concat KDF construction and a major rewrite of ASN.1 parsing logic used for curve detection and key import validation.
Breakingv6.0.12
10 months agov6.0.12 primarily updates documentation and refactors internal ASN.1 helper logic used by key import routines. No new public APIs are called out in the release notes, but the code diff shows meaningful changes to how key types (ECDH/ECDSA named curves) are detected and how PEM inputs are decoded.
Breaking