💡 Supported Standards
- Note
- Throughout this documentation you will see links such as the ones above to RFC documents. These are relevant to that particular part of the library and are helpful to understand some of the specific standards that shaped the development of LibJWT.
🚧 Build Prerequisites
Required
- A JSON library: either Jansson (>= 2.0, the default) or json-c (>= 0.16, selected with -DWITH_JSON_C=ON). The two are interchangeable.
- CMake (>= 3.7)
Crypto support
- OpenSSL (>= 3.0.0)
- GnuTLS (>= 3.8.8)
- MbedTLS (>= 3.6.0)
- Note
- At least one crypto backend is required, but any non-empty combination works. OpenSSL is enabled by default and can be disabled with -DWITH_OPENSSL=OFF. Each backend parses and converts JWK(S) natively.
Algorithm support matrix
| JWS Algorithm alg | OpenSSL | GnuTLS | MbedTLS |
| HS256 HS384 HS512 | ✅ | ✅ | ✅ |
| ES256 ES384 ES512 | ✅ | ✅ | ✅ |
| RS256 RS384 RS512 | ✅ | ✅ | ✅ |
| EdDSA using ED25519 | ✅ | ✅ | ❌ |
| EdDSA using ED448 | ✅ | ✅ | ❌ |
| PS256 PS384 PS512 | ✅ | ✅ | ✅ |
| ES256K | ✅ | ❌ | ✅ |
- Note
- On the GnuTLS backend, loading a "seed-only" OKP private JWK (an Ed25519/Ed448 key with d but no public coordinate x) requires GnuTLS >= 3.8.13. Older GnuTLS crashes deriving the public key, so LibJWT rejects such keys. A key that carries x, any public key, and PEM/DER keys are unaffected (as are the OpenSSL and MbedTLS backends). The version is checked at runtime, so upgrading the shared libgnutls lifts this without rebuilding LibJWT.
JWE
LibJWT supports JWE (RFC 7516) Compact Serialization with a single recipient, using a key management algorithm (alg) plus a content encryption algorithm (enc).
Legend: ✅ native implementation · ❌ not supported
| JWE key management alg | OpenSSL | GnuTLS | MbedTLS |
| dir | ✅ | ✅ | ✅ |
| A128KW A192KW A256KW | ✅ | ✅ | ✅ |
| RSA-OAEP (SHA-1) | ✅ | ❌ | ✅ |
| RSA-OAEP-256 | ✅ | ✅ | ✅ |
| ECDH-ES (+ +A128KW/+A192KW/+A256KW) | ✅ | ✅ | ✅ |
| JWE content encryption enc | OpenSSL | GnuTLS | MbedTLS |
| A128GCM A192GCM A256GCM | ✅ | ✅ | ✅ |
| A128CBC-HS256 A192CBC-HS384 A256CBC-HS512 | ✅ | ✅ | ✅ |
- Note
- ECDH-ES supports both Direct Key Agreement and +A*KW key wrapping, on the EC curves P-256/384/521 and the OKP curves X25519/X448, with optional apu/apv PartyInfo. RSA1_5 and zip are intentionally not supported. Each backend implements JWE natively. GnuTLS/Nettle cannot perform RSA-OAEP with SHA-1, so the GnuTLS backend does not support plain RSA-OAEP (RSA-OAEP-256 is native). The X25519/X448 OKP curves require GnuTLS >= 3.8.13 on the GnuTLS backend (checked at runtime).
Optional
📖 Docs and Source
🔗 Current Docs
🔗 Legacy Docs v2.1.1
🔗 GitHub Repo
📦 Pre-built Packages
LibJWT is available in most Linux distributions as well as through Homebrew for Linux, macOS, and Windows.
🔨 Build Instructions
With CMake:
$ mkdir build
$ cd build
$ cmake ..
$ make
