Skip to main content
Deno 2 is finally here 🎉️
Learn more
Module

x/jose/index.ts

JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
Extremely Popular
Latest
import * as jose from "https://deno.land/x/jose@v5.9.6/index.ts";

Classes

The CompactEncrypt class is used to build and encrypt Compact JWE strings.

The CompactSign class is used to build and sign Compact JWS strings.

The EncryptJWT class is used to build and encrypt Compact JWE formatted JSON Web Tokens.

An error subclass thrown when a JOSE Algorithm is not allowed per developer preference.

A generic Error that all other JOSE specific Error subclasses extend.

An error subclass thrown when a particular feature or algorithm is not supported by this implementation or JOSE in general.

An error subclass thrown when a JWE ciphertext decryption fails.

An error subclass thrown when a JWE is invalid.

An error subclass thrown when a JWK is invalid.

An error subclass thrown when a JWKS is invalid.

An error subclass thrown when multiple keys match from a JWKS.

An error subclass thrown when no keys match from a JWKS.

Timeout was reached when retrieving the JWKS response.

An error subclass thrown when a JWS is invalid.

An error subclass thrown when JWS signature verification fails.

An error subclass thrown when a JWT Claim Set member validation fails.

An error subclass thrown when a JWT is expired.

An error subclass thrown when a JWT is invalid.

The FlattenedEncrypt class is used to build and encrypt Flattened JWE objects.

The FlattenedSign class is used to build and sign Flattened JWS objects.

The GeneralEncrypt class is used to build and encrypt General JWE objects.

The GeneralSign class is used to build and sign General JWS objects.

Generic class for JWT producing.

The SignJWT class is used to build and sign Compact JWS formatted JSON Web Tokens.

The UnsecuredJWT class is a utility for dealing with { "alg": "none" } Unsecured JWTs.

Variables

DANGER ZONE - This option has security implications that must be understood, assessed for applicability, and accepted before use. It is critical that the JSON Web Key Set cache only be writable by your own code.

Functions

Calculates a base64url-encoded JSON Web Key (JWK) Thumbprint

Calculates a JSON Web Key (JWK) Thumbprint URI

Decrypts a Compact JWE.

Verifies the signature and format of and afterwards decodes the Compact JWS.

Returns a function that resolves a JWS JOSE Header to a public key object from a locally stored, or otherwise available, JSON Web Key Set.

Returns a function that resolves a JWS JOSE Header to a public key object downloaded from a remote endpoint returning a JSON Web Key Set, that is, for example, an OAuth 2.0 or OIDC jwks_uri. The JSON Web Key Set is fetched when no key matches the selection process but only as frequently as the cooldownDuration option allows to prevent abuse.

Decodes a signed JSON Web Token payload. This does not validate the JWT Claims Set types or values. This does not validate the JWS Signature. For a proper Signed JWT Claims Set validation and JWS signature verification use jose.jwtVerify(). For an encrypted JWT Claims Set validation and JWE decryption use jose.jwtDecrypt().

Decodes the Protected Header of a JWE/JWS/JWT token utilizing any JOSE serialization.

EmbeddedJWK is an implementation of a GetKeyFunction intended to be used with the JWS/JWT verify operations whenever you need to opt-in to verify signatures with a public key embedded in the token's "jwk" (JSON Web Key) Header Parameter. It is recommended to combine this with the verify function's algorithms option to define accepted JWS "alg" (Algorithm) Header Parameter values.

Exports a runtime-specific key representation (KeyLike) to a JWK.

Exports a runtime-specific private key representation (!KeyObject or !CryptoKey) to a PEM-encoded PKCS8 string format.

Exports a runtime-specific public key representation (!KeyObject or !CryptoKey) to a PEM-encoded SPKI string format.

Decrypts a Flattened JWE.

Verifies the signature and format of and afterwards decodes the Flattened JWS.

Decrypts a General JWE.

Verifies the signature and format of and afterwards decodes the General JWS.

Generates a private and a public key for a given JWA algorithm identifier. This can only generate asymmetric key pairs. For symmetric secrets use the generateSecret function.

Generates a symmetric secret key for a given JWA algorithm identifier.

Imports a JWK to a runtime-specific key representation (KeyLike). Either the JWK "alg" (Algorithm) Parameter, or the optional "alg" argument, must be present.

Imports a PEM-encoded PKCS#8 string as a runtime-specific private key representation (!KeyObject or !CryptoKey).

Imports a PEM-encoded SPKI string as a runtime-specific public key representation (!KeyObject or !CryptoKey).

Imports the SPKI from an X.509 string certificate as a runtime-specific public key representation (!KeyObject or !CryptoKey).

Verifies the JWT format (to be a JWE Compact format), decrypts the ciphertext, validates the JWT Claims Set.

Verifies the JWT format (to be a JWS Compact format), verifies the JWS signature, validates the JWT Claims Set.

Interfaces

Interface for Compact JWE Decryption dynamic key resolution. No token components have been verified at the time of this function call.

Recognized Compact JWE Header Parameters, any other Header Members may also be present.

Recognized Compact JWS Header Parameters, any other Header Members may also be present.

Interface for Compact JWS Verification dynamic key resolution. No token components have been verified at the time of this function call.

Shared Interface with a "crit" property for all sign, verify, encrypt and decrypt operations.

JWE Decryption options.

JWE Encryption options.

Interface for Flattened JWE Decryption dynamic key resolution. No token components have been verified at the time of this function call.

Flattened JWE definition.

Flattened JWS definition. Payload is returned as an empty string when JWS Unencoded Payload (RFC7797) is used.

Flattened JWS definition for verify function inputs, allows payload as !Uint8Array for detached signature validation.

Interface for Flattened JWS Verification dynamic key resolution. No token components have been verified at the time of this function call.

Interface for General JWE Decryption dynamic key resolution. No token components have been verified at the time of this function call.

General JWS definition. Payload is returned as an empty string when JWS Unencoded Payload (RFC7797) is used.

General JWS definition for verify function inputs, allows payload as !Uint8Array for detached signature validation.

Interface for General JWS Verification dynamic key resolution. No token components have been verified at the time of this function call.

Generic Interface for consuming operations dynamic key resolution.

JSON Web Key Set

Recognized JWE Header Parameters, any other Header members may also be present.

Recognized JWE Key Management-related Header Parameters.

JSON Web Key (JWK). "RSA", "EC", "OKP", and "oct" key types are supported.

Convenience interface for Private EC JSON Web Keys

Convenience interface for Public EC JSON Web Keys

Convenience interface for oct JSON Web Keys

Convenience interface for Private OKP JSON Web Keys

Convenience interface for Public OKP JSON Web Keys

Convenience interface for Private RSA JSON Web Keys

Convenience interface for Public RSA JSON Web Keys

Generic JSON Web Key Parameters.

Recognized JWS Header Parameters, any other Header Members may also be present.

JWT Claims Set verification options.

Interface for JWT Decryption dynamic key resolution. No token components have been verified at the time of this function call.

Combination of JWE Decryption options and JWT Claims Set verification options.

Recognized Signed JWT Header Parameters, any other Header Members may also be present.

Recognized JWT Claims Set members, any other members may also be present.

Interface for JWT Verification dynamic key resolution. No token components have been verified at the time of this function call.

Combination of JWS Verification options and JWT Claims Set verification options.

Options for the remote JSON Web Key Set.

JWS Signing options.

JWS Verification options.

Type Aliases

KeyLike are runtime-specific classes representing asymmetric keys or symmetric secrets. These are instances of !CryptoKey and additionally !KeyObject in Node.js runtime. !Uint8Array instances are also accepted as symmetric secret representation only.