JWT Libraries

Version v2.10.3 backports a critical fix to reject null or empty HMAC keys during signing and verification, addressing a security vulnerability.

Version v3.2.0 introduces a new configuration option for HMAC key length enforcement and resolves critical security issues related to empty HMAC keys, alongside general compatibility fixes.

Version v2.10.2 addresses a concurrency issue by ensuring digests are not reused across separate calls within the Ecdsa and Rsa JWA implementations.

This patch release addresses critical bugs related to digest reuse in ECDSA/RSA signing and fixes EC JWK signing issues.

This patch release (v3.1.1) introduces a security enhancement by requiring the algorithm to be explicitly provided during JWK signing and verification operations.

Version 3.1.0 introduces significant security and feature enhancements, including JWK support and stricter key validation for ECDSA, alongside a breaking change requiring claim verification before accessing the token payload.

Version 3.0.0 introduces significant breaking changes focusing on security hardening, stricter standards compliance, and dependency removal. New features include bundled verification methods and improved JWK compatibility.

This major beta release introduces significant breaking changes, including stricter signature verification, removal of deprecated methods and the rbnacl dependency, and updates to algorithm and key requirements. It also adds the convenient JWT::EncodedToken#verify! method.