jose

JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) library

https://github.com/frasertweedale/hs-jose

LTS Haskell 24.35:	0.11
Stackage Nightly 2026-03-29:	0.12
Latest on Hackage:	0.12

See all snapshots jose appears in

Apache-2.0 licensed by Fraser Tweedale

Maintained by [email protected]

This version can be pinned in stack with:jose-0.12@sha256:7305643e19cab3d1b21ea4de5fc009161339b0b4ddd3107af4339175fff0e539,3695

Module documentation for 0.12

Crypto
- Crypto.JOSE
- Crypto.JWT

Depends on 18 packages(full list with versions):

aeson, base, base64-bytestring, bytestring, concise, containers, crypton, crypton-x509, jose, lens, memory, monad-time, mtl, network-uri, template-haskell, text, time, unix

Used by 5 packages in nightly-2026-03-29(full list with versions):

jose, servant-auth, servant-auth-server, webgear-core, webgear-server

jose - JSON Object Signing and Encryption & JWT (JSON Web Token)

jose is a Haskell implementation of JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT).

The JSON Web Signature (JWS; RFC 7515) implementation is complete. JSON Web Encryption (JWE; RFC 7516) is not yet implemented.

EdDSA signatures (RFC 8037) and secp256k1 signatures (RFC 8812) are supported.

JWK Thumbprint (RFC 7638) is supported.

Contributions are welcome.

Security

If you discover a security issue in this library, please email me the details, ideally with a proof of concept (frase @ frase.id.au ; PGP key).

Before reporting an issue, please note the following known vulnerabilities:

The ECDSA implementation is vulnerable to timing attacks and should therefore only be used for verification.

and the following known not-vulnerabilities:

The library is not vulnerable to JWS algorithm substitution attacks. Haskell’s type system excludes this attack.
The default JWS validation settings reject the "none" algorithm, as required by RFC 7518.
The library is not vulnerable to ECDH invalid curve attacks because JWE is not implemented.

Interoperability issues

The following known interoperability issues will not be addressed, so please do not open issues:

Some JOSE tools and libraries permit the use of short keys, in violation of the RFCs. This implementation rejects JWS or JWT objects minted with short keys, as required by the RFCs.
The Auth0 software produces objects with an invalid "x5t" parameter. The datum should be a base64url-encoded SHA-1 digest, but Auth0 produces a base64url-encoded hex-encoded SHA-1 digest. The object can be repaired (example) so that this library will admit it, unless the offending parameter is part of the JWS Protected Header in which case you are out of luck (until Auth0 bring their implementation into compliance).
JWKs with leading null bytes in the RSA "n" parameter (a violation of RFC 7518) have been seen in the wild. This library rejects nonconformant JWKs. If you know which programs/libraries produce such objects, please file bugs against them. It is straightforward to repair these keys: base64url-decode the offending parameter, drop the leading null byte, base64url-encode again then update the JSON object.

Contributing

Bug reports, patches, feature requests, code review, crypto review, examples and documentation are welcome.

If you are wondering about how or whether to implement some feature or fix, please open an issue where it can be discussed. I appreciate your efforts, but I do not wish such efforts to be misplaced.

To submit a patch, please use git send-email or open a pull request. Write a well formed commit message. If your patch is nontrivial, update the copyright notice at the top of the modified files.

Changes

Version 0.12 (2025-08-18)

GHC 9.6 is now the earliest supported version.
Changed the header protection data types for better ergonomics (#125). Previously, () was used for serialisations that only support protected headers (thus, a single constructor). This release introduces the new singleton data type RequiredProtected to replace the use of () for this purpose. This is a breaking change and some library users will need to update their code.

The Protection type has been renamed to OptionalProtection, with the old name retained as a (deprecated) type synonym.

The ProtectionIndicator class has been renamed to ProtectionSupport, with the old name retained as a (deprecated) type synonym.

Added some convenience header and header parameter constructors: newJWSHeaderProtected, newHeaderParamProtected and newHeaderParamUnprotected.
Generalised the types of signJWT, verifyJWT and related functions to accept custom JWS header types. Added new type synonym SignedJWTWithHeader h. This change could break some applications by introducing ambiguity. The solution is to use a type annotation, type application, or explicit coercion function, as in the below examples:
```
-- type application
{-# LANGUAGE TypeApplications #-}
decodeCompact @SignedJWT s >>= verifyClaims settings k

-- type annotation
do
  jwt <- decodeCompact s
  verifyClaims settings k (jwt :: SignedJWT)

-- coercion function
let
  fixType = id :: SignedJWT -> SignedJWT
in
  verifyClaims settings k . fixType =<< decodeCompact s
```
Added unsafeGetPayload, unsafeGetJWTPayload and unsafeGetJWTClaimsSet functions. These enable access to the JWS/JWT payload without cryptographic verification. As the name implies, these should be used with the utmost caution! (#126)
Add Crypto.JOSE.JWK.negotiateJWSAlg which chooses the cryptographically strongest JWS algorithm for a given key, restricted to a given set of algorithms. (#118)
Added new conversion functions Crypto.JOSE.JWK.fromX509PubKey and Crypto.JOSE.JWK.fromX509PrivKey. These convert from the Data.X509.PubKey and Data.X509.PrivKey types, which can be read via the crypton-x509-store package. They supports RSA, NIST ECC, and Edwards curve key types (Ed25519, Ed448, X25519, X448).
Updated Crypto.JOSE.JWK.fromX509Certificate to support Edwards curve key types (Ed25519, Ed448, X25519, X448).
Added Crypto.JOSE.JWK.fromRSAPublic :: RSA.PublicKey -> JWK.
Added Ord instance for StringOrURI (#134; contributed by Chris Penner).
Added Semigroup and Monoid instances for JWKSet (#135; contributed by Torgeir Strand Henriksen).

Version 0.11 (2023-10-31)

Migrate to the crypton library ecosystem. crypton was a hard fork of cryptonite, which was no longer maintained. With this change, the minimum supported version of GHC increased to 8.8. There are no other notable changes in this release.
The v0.10 series is the last release series to support cryptonite. It will continue to receive important bug fixes until the end of 2024.

Version 0.10 (2022-09-01)

Introduce newtype JOSE e m a which behaves like ExceptT e m a but also has instance (MonadRandom m) => MonadRandom (JOSE e m). The orphan MonadRandom instances were removed. (#91)
Parameterise JWT over the claims data type. This is a cleaner mechanism to support applications that use additional claims beyond those registered by RFC 7519. unregisteredClaims and addClaim are deprecated and will be removed in a future release. (#39)
Add Ed448 and X448 support. (#74)
Add secp256k1 curve support (RFC 8812).
Added checkJWK :: (MonadError e m, AsError e) => JWK -> m (). This action performs some key usability checks. In particular it identifies too-small symmetric keys. (#46)
Removed QuickCheck instances. jose no longer depends on QuickCheck. (#106)
Removed orphan ToJSON and FromJSON instances for URI.
Fail signature verification when curve does not match algorithm. This is an additional defence against curve substitution attacks.
Improved error reporting when constructing a JWK from an X.509 certificate with ECDSA key.
Make compatible with mtl == 2.3.* (#107)
Make compatible with monad-time == 0.4

Older versions

See Git commit history