jose (JavaScript)

Universal JavaScript library for JSON Object Signing and Encryption (JOSE) — JWT, JWS, JWE, JWK, JWKS. Works in Node.js, browsers, Deno, Cloudflare Workers, and Vercel Edge Functions using the native Web Crypto API. Unlike jsonwebtoken which uses Node.js crypto, jose uses Web Crypto and runs anywhere. Supports JWKS (JSON Web Key Sets) with remote key fetching and automatic rotation.

Evaluated Mar 06, 2026 (0d ago) v5.x

Homepage ↗ Repo ↗ Developer Tools jwt jwe jws jwk jwks authentication edge-runtime browser open-source

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

100

Rate Limits

100

🔒 Security

TLS Enforcement

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

Uses Web Crypto API (native browser/runtime crypto). Supports JWKS rotation for forward security. Algorithm confusion attacks prevented by algorithm configuration. JWE provides payload confidentiality beyond JWT.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need JWT/JWKS support in Edge runtimes, browsers, or any runtime beyond Node.js, or you need proper JWKS remote key set handling.

Avoid When

You only need simple HS256 JWT signing in Node.js — jsonwebtoken is simpler with its callback/promise API.

Use Cases

• Sign and verify JWTs in Edge Functions (Cloudflare Workers, Vercel Edge) where jsonwebtoken doesn't work
• Fetch and cache JWKS from remote endpoints (auth0.com, Google, Okta) for JWT verification with key rotation
• Use JWE (JSON Web Encryption) for encrypted tokens that hide payload contents from intermediate parties
• Implement OIDC token verification for identity providers using JWKS endpoint discovery
• Build browser-native JWT handling without server round-trips using Web Crypto API

Not For

• Simple Node.js-only JWT signing where jsonwebtoken is already established
• Teams unfamiliar with JOSE spec complexity — the full JOSE spec (JWK, JWKS, JWE) adds complexity beyond simple JWT use
• Applications needing PASETO tokens — use a PASETO library for the Paseto standard

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

Library used to implement auth, not a service requiring auth.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

Free and open source, maintained by Filip Skokan (panva).

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ jose uses the Web Crypto API — in Node.js versions before 18, Web Crypto may not be available globally; import from 'jose' handles this, but avoid explicit webcrypto imports in older environments
⚠ createRemoteJWKSet() for JWKS fetches keys lazily on first verify call — the first verification after startup may be slow (50-200ms) due to network fetch
⚠ JWT audience (aud) and issuer (iss) validation is NOT done by default — always pass { audience, issuer } options to jwtVerify() for security; missing these allows token reuse across services
⚠ jose's SignJWT requires chaining: new SignJWT(payload).setProtectedHeader({alg}).setIssuedAt().sign(key) — forgetting setProtectedHeader causes 'alg must be provided' error
⚠ JWKS caching has default cooldown — createRemoteJWKSet() caches keys and won't re-fetch more often than the cooldown period; this can cause failures during rapid key rotation
⚠ jose exports named functions (SignJWT, jwtVerify) not a default object — import { jwtVerify } from 'jose', not import jose from 'jose'

Alternatives

jsonwebtoken-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for jose (JavaScript).

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.