Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
The EncryptJWT class is used to build and encrypt Compact JWE formatted JSON Web Tokens.
Example
const secret = jose.base64url.decode('zH4NRP1HMALxxCFnRZABFA7GOJtzU_gIj02alfL1lvI')
const jwt = await new jose.EncryptJWT({ 'urn:example:claim': true })
.setProtectedHeader({ alg: 'dir', enc: 'A128CBC-HS256' })
.setIssuedAt()
.setIssuer('urn:example:issuer')
.setAudience('urn:example:audience')
.setExpirationTime('2h')
.encrypt(secret)
console.log(jwt)- encrypt
- replicateAudienceAsHeader
- replicateIssuerAsHeader
- replicateSubjectAsHeader
- setAudience
- setContentEncryptionKey
- setExpirationTime
- setInitializationVector
- setIssuedAt
- setIssuer
- setJti
- setKeyManagementParameters
- setNotBefore
- setProtectedHeader
- setSubject
• new EncryptJWT(payload?): EncryptJWT
| Name | Type | Description |
|---|---|---|
payload |
JWTPayload |
The JWT Claims Set object. Defaults to an empty object. |
▸ encrypt(key, options?): Promise<string>
Encrypts and returns the JWT.
| Name | Type | Description |
|---|---|---|
key |
Uint8Array | KeyLike |
Public Key or Secret to encrypt the JWT with. See Algorithm Key Requirements. |
options? |
EncryptOptions |
JWE Encryption options. |
Promise<string>
▸ replicateAudienceAsHeader(): EncryptJWT
Replicates the "aud" (Audience) Claim as a JWE Protected Header Parameter.
See
▸ replicateIssuerAsHeader(): EncryptJWT
Replicates the "iss" (Issuer) Claim as a JWE Protected Header Parameter.
See
▸ replicateSubjectAsHeader(): EncryptJWT
Replicates the "sub" (Subject) Claim as a JWE Protected Header Parameter.
See
▸ setAudience(audience): EncryptJWT
Set the "aud" (Audience) Claim.
| Name | Type | Description |
|---|---|---|
audience |
string | string[] |
"aud" (Audience) Claim value to set on the JWT Claims Set. |
▸ setContentEncryptionKey(cek): EncryptJWT
Sets a content encryption key to use, by default a random suitable one is generated for the JWE enc" (Encryption Algorithm) Header Parameter.
| Name | Type | Description |
|---|---|---|
cek |
Uint8Array |
JWE Content Encryption Key. |
Deprecated
You should not use this method. It is only really intended for test and vector validation purposes.
▸ setExpirationTime(input): EncryptJWT
Set the "exp" (Expiration Time) Claim.
- If a
numberis passed as an argument it is used as the claim directly. - If a
Dateinstance is passed as an argument it is converted to unix timestamp and used as the claim. - If a
stringis passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim.
Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day".
Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year.
If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp.
| Name | Type | Description |
|---|---|---|
input |
string | number | Date |
"exp" (Expiration Time) Claim value to set on the JWT Claims Set. |
▸ setInitializationVector(iv): EncryptJWT
Sets the JWE Initialization Vector to use for content encryption, by default a random suitable one is generated for the JWE enc" (Encryption Algorithm) Header Parameter.
| Name | Type | Description |
|---|---|---|
iv |
Uint8Array |
JWE Initialization Vector. |
Deprecated
You should not use this method. It is only really intended for test and vector validation purposes.
▸ setIssuedAt(input?): EncryptJWT
Set the "iat" (Issued At) Claim.
- If no argument is used the current unix timestamp is used as the claim.
- If a
numberis passed as an argument it is used as the claim directly. - If a
Dateinstance is passed as an argument it is converted to unix timestamp and used as the claim. - If a
stringis passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim.
Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day".
Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year.
If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp.
| Name | Type | Description |
|---|---|---|
input? |
string | number | Date |
"iat" (Expiration Time) Claim value to set on the JWT Claims Set. |
▸ setIssuer(issuer): EncryptJWT
Set the "iss" (Issuer) Claim.
| Name | Type | Description |
|---|---|---|
issuer |
string |
"Issuer" Claim value to set on the JWT Claims Set. |
▸ setJti(jwtId): EncryptJWT
Set the "jti" (JWT ID) Claim.
| Name | Type | Description |
|---|---|---|
jwtId |
string |
"jti" (JWT ID) Claim value to set on the JWT Claims Set. |
▸ setKeyManagementParameters(parameters): EncryptJWT
Sets the JWE Key Management parameters to be used when encrypting. Use of this is method is really only needed for ECDH based algorithms when utilizing the Agreement PartyUInfo or Agreement PartyVInfo parameters. Other parameters will always be randomly generated when needed and missing.
| Name | Type | Description |
|---|---|---|
parameters |
JWEKeyManagementHeaderParameters |
JWE Key Management parameters. |
▸ setNotBefore(input): EncryptJWT
Set the "nbf" (Not Before) Claim.
- If a
numberis passed as an argument it is used as the claim directly. - If a
Dateinstance is passed as an argument it is converted to unix timestamp and used as the claim. - If a
stringis passed as an argument it is resolved to a time span, and then added to the current unix timestamp and used as the claim.
Format used for time span should be a number followed by a unit, such as "5 minutes" or "1 day".
Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins", "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year", "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an alias for a year.
If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets subtracted from the current unix timestamp. A "from now" suffix can also be used for readability when adding to the current unix timestamp.
| Name | Type | Description |
|---|---|---|
input |
string | number | Date |
"nbf" (Not Before) Claim value to set on the JWT Claims Set. |
▸ setProtectedHeader(protectedHeader): EncryptJWT
Sets the JWE Protected Header on the EncryptJWT object.
| Name | Type | Description |
|---|---|---|
protectedHeader |
CompactJWEHeaderParameters |
JWE Protected Header. Must contain an "alg" (JWE Algorithm) and "enc" (JWE Encryption Algorithm) properties. |
▸ setSubject(subject): EncryptJWT
Set the "sub" (Subject) Claim.
| Name | Type | Description |
|---|---|---|
subject |
string |
"sub" (Subject) Claim value to set on the JWT Claims Set. |