`jose` is a JavaScript module for working with JOSE standards, including JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Keys (JWK, JWKS). It provides tools to sign, verify, encrypt, decrypt, import/export keys, and validate JWT claims across multiple Web-interoperable runtimes such as Node.js, browsers, Cloudflare Workers, Deno, and Bun.
Project status
- Actively maintained: The upstream repo shows a very recent push (2026-06-10), and tagged updates continue into 2026 (latest release v6.2.3 on 2026-04-27), indicating ongoing development rather than maintenance mode.
- Update cadence: Tags are relatively frequent, with updates appearing in quick succession during 2026-03 (v6.2.0, v6.2.1, v6.2.2), then another update on 2026-04-27 (v6.2.3), plus a further upstream push in mid-June.
AI summary generated 2026-06-11
Recent updates
v6.2.3
2026-04-27v6.2.3 primarily tightens PBES2 parameter validation. The release adds an explicit check that PBES2 count (p2c) must be a positive safe integer, and fails with a JWEInvalid error when it is not.
Breakingv6.2.2
2026-03-18v6.2.2 includes a small fix intended to ensure failed JWE deflate decompression is rejected as a JWEInvalid error. The code changes also adjust deflate stream error handling and add more defensive error wrapping around both decompression and compression.
v6.2.1
2026-03-09v6.2.1 is described as an internal refactor to reduce file count and footprint. The diff shows significant consolidation of JWE content encryption, JWE key management, signing utilities, and type-check helpers into new modules.
Breakingv6.2.0
2026-03-05v6.2.0 re-introduces support for the JWE "zip" (Compression Algorithm) header parameter, implemented via runtime Web CompressionStream/DecompressionStream. It also updates documentation to clarify what general JWS and general JWE decryption and verification return values represent. The code changes include additional constraints and a new decompression size limit option that are not mentioned in the release notes.
Featuresv6.1.3
2025-12-02v6.1.3 is primarily a refactor intended to avoid `export * as ...` in the published entrypoints, to satisfy Google Closure compiler constraints. The diff also includes a small change to the text of a thrown `TypeError` when an incorrect JWK type is provided, plus a set of dev dependency version bumps.
v6.1.2
2025-11-15Release v6.1.2 primarily refines how the library detects CryptoKey instances. It adds a fallback to checking instanceof CryptoKey in addition to the existing Symbol.toStringTag check, and updates the packaged version strings to v6.1.2 across targets.
v6.1.1
2025-11-09v6.1.1 focuses on documentation and internal refactors aimed at reducing JOSE JWE/JWT overhead in the Deno build. The release notes mention removing named exports in source code and some key management API exposure, but the code diff shows broader module export shape changes and some behavior-relevant utility changes.
Featuresv6.1.0
2025-08-27v6.1.0 documents support for AKP JWK thumbprints and adds ML-DSA PQC algorithm identifiers. The actual code diff shows substantially broader AKP and ML-DSA support throughout key handling and signature key checks, not just thumbprint utilities.
Featuresv6.0.13
2025-08-21v6.0.13 is labeled as a refactor release, with notes mentioning readability improvements in ecdhes.ts and helper updates in asn1.ts. However, the actual diff includes substantive internal changes to ECDH-ES Concat KDF construction and a major rewrite of ASN.1 parsing logic used for curve detection and key import validation.
Breakingv6.0.12
2025-07-15v6.0.12 primarily updates documentation and refactors internal ASN.1 helper logic used by key import routines. No new public APIs are called out in the release notes, but the code diff shows meaningful changes to how key types (ECDH/ECDSA named curves) are detected and how PEM inputs are decoded.
Breaking