PACKAGE · AUTHENTICATION

jose

JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes

npm → GitHub →
WEEKLY DOWNLOADS 40.1M
STARS 7.6K
FORKS 371
OPEN ISSUES 2
GZIP SIZE 18.0 kB
UNPACKED SIZE 257.7 kB
LAST UPDATED 3mo ago
DOWNLOAD TRENDS

jose downloads — last 12 months

Download trends for jose1 download series from Jun 2025 to May 2026. Use left and right arrow keys to inspect monthly values.079.8M159.6M239.4M319.2MJun 2025SepDecMarMay 2026
jose
ABOUT JOSE

The `jose` package provides a comprehensive implementation of the JavaScript Object Signing and Encryption (JOSE) standards. It enables developers to work with JSON Web Tokens (JWT), JSON Web Signatures (JWS), JSON Web Encryption (JWE), JSON Web Algorithms (JWA), and JSON Web Key Sets (JWKS) across various JavaScript runtimes. This addresses the need for secure and interoperable ways to transmit and verify information in a digitally signed or encrypted format, crucial for modern web authentication and data protection.

Designed with a focus on interoperability and adherence to RFC specifications, `jose` targets developers building applications that require robust cryptographic operations. Its broad runtime support, including Node.js, the browser, Cloudflare Workers, Deno, and Bun, makes it a versatile choice for diverse deployment environments. The library aims to simplify the complexities of cryptography, offering clear APIs for both signing and verification, as well as encryption and decryption processes.

The API is structured around core concepts like key management, token creation, and validation. Developers can utilize functions such as `SignJWT.sign()` and `jwtVerify()` for JWT operations, `Encrypt.encrypt()` and `CompactDecrypt.decrypt()` for JWE, and `decodeJwk()` for JWK manipulation. The library also supports JWKS endpoints for efficient public key distribution, abstracting away much of the low-level cryptographic details.

`jose` integrates seamlessly into various development workflows. It is well-suited for backend services implementing OAuth 2.0 or OpenID Connect, frontend applications handling authenticated user sessions, and edge computing environments like Cloudflare Workers. Its design allows for integration with modern JavaScript frameworks and build tools, ensuring it can be adopted into existing or new projects without significant friction.

With an unpacked size of 257.7 kB and a gzipped bundle size of 18.0 kB, `jose` strikes a balance between feature richness and performance. This relatively small footprint is beneficial for frontend applications and edge functions where payload size is a concern. The library is actively maintained, evidenced by its recent 6.2.3 version and a high volume of weekly downloads (66.7M), indicating a mature and widely-used solution.

While `jose` is robust, developers should be aware of the inherent complexities of cryptographic key management. Securely storing, rotating, and accessing signing and encryption keys is paramount and falls outside the direct scope of the library itself. Proper implementation of these security practices is critical to fully leverage the protections offered by the JOSE standards.

WHEN TO USE
  • When issuing and verifying JSON Web Tokens (JWT) for API authentication and session management.
  • When implementing End-to-End Encryption (E2EE) for sensitive data using JSON Web Encryption (JWE).
  • When creating signed payloads to ensure message integrity and authenticity with JSON Web Signatures (JWS).
  • When consuming federated identity provider metadata exposed via JSON Web Key Sets (JWKS) endpoints.
  • When building applications that need to support cryptographic operations across Node.js, browser, Deno, Bun, and Cloudflare Workers environments.
  • When requiring JOSE standard compliance for interoperability with other identity systems or services.
  • When securely exchanging cryptographic keys using the JSON Web Key (JWK) format.
WHEN NOT TO USE
  • If your application only requires simple session management and does not involve sensitive data transmission or strict integrity checks; consider simpler cookie-based sessions.
  • If you need basic encryption for non-sensitive data where a symmetric, opaque blob would suffice; implement a custom solution or a simpler library.
  • If your use case exclusively targets a single, constrained runtime environment and has no need for broad compatibility; a runtime-specific crypto API might be sufficient.
  • If the primary goal is to store arbitrary unstructured data securely; consider dedicated data encryption solutions rather than JWTs.
  • When implementing complex cryptographic protocols that extend beyond the standard JWA, JWS, JWE, JWT, JWK, and JWKS specifications; a more specialized cryptographic suite might be necessary.

CORRECTIONS

Spot wrong data here?

A short note helps us fix it.

Anonymous · No account · No email back
COMPARISONS 7
jose vs @auth0/nextjs-auth0 ★ 2.3K · 281.4K/wk jose vs jwt-decode ★ 3.4K · 7.6M/wk jose vs @auth/core ★ 28.3K · 1.8M/wk jose vs @clerk/nextjs ★ 1.7K · 785.1K/wk jose vs @supabase/supabase-js ★ 4.5K · 10.8M/wk jose vs next-auth ★ 28.3K · 2.4M/wk jose vs lucia ★ 10.5K · 106.1K/wk