Welcome to LibJWT

Warning

Version 3 of LibJWT is a complete overhaul of the code. Please see documentation for usage.

💡 Supported Standards

Standard	RFC	Description
JWS	📄 RFC-7515	JSON Web Signature
JWE	📄 RFC-7516	JSON Web Encryption
JWK	📄 RFC-7517	JSON Web Keys and Sets
JWA	📄 RFC-7518	JSON Web Algorithms
JWT	📄 RFC-7519	JSON Web Token

Note

Throughout this documentation you will see links such as the ones above to RFC documents. These are relevant to that particular part of the library and are helpful to understand some of the specific standards that shaped the development of LibJWT.

🚧 Build Prerequisites

Required

• JANSSON (>= 2.0)
• CMake (>= 3.7)

Crypto support

• OpenSSL (>= 3.0.0)
• GnuTLS (>= 3.6.0)
• MbedTLS (>= 3.6.0)

Note

OpenSSL is always required. All three backends parse JWK(S) natively (GnuTLS native parsing requires GnuTLS >= 3.8.4; older GnuTLS delegates JWK(S) parsing and RSA-OAEP/ECDH-ES to OpenSSL).

Algorithm support matrix

JWS Algorithm alg	OpenSSL	GnuTLS	MbedTLS
HS256 HS384 HS512	✅	✅	✅
ES256 ES384 ES512	✅	✅	✅
RS256 RS384 RS512	✅	✅	✅
EdDSA using ED25519	✅	✅	❌
EdDSA using ED448	✅	✅ >= 3.8.8	❌
PS256 PS384 PS512	✅	✅	✅
ES256K	✅	❌	✅

JWE

LibJWT supports JWE (RFC 7516) Compact Serialization with a single recipient, using a key management algorithm (alg) plus a content encryption algorithm (enc).

Legend: ✅ native implementation · 🔵 supported, using OpenSSL as a fallback · ❌ not supported

JWE key management alg	OpenSSL	GnuTLS	MbedTLS
dir	✅	✅	✅
A128KW A192KW A256KW	✅	✅	✅
RSA-OAEP (SHA-1)	✅	🔵	✅
RSA-OAEP-256	✅	✅	✅
ECDH-ES (+ +A128KW/+A192KW/+A256KW)	✅	✅	✅

JWE content encryption enc	OpenSSL	GnuTLS	MbedTLS
A128GCM A192GCM A256GCM	✅	✅	✅
A128CBC-HS256 A192CBC-HS384 A256CBC-HS512	✅	✅	✅

Note

ECDH-ES supports both Direct Key Agreement and +A*KW key wrapping, on the EC curves P-256/384/521 and the OKP curves X25519/X448, with optional apu/apv PartyInfo. RSA1_5 and zip are intentionally not supported. Each backend implements JWE natively except that GnuTLS/Nettle cannot perform RSA-OAEP with SHA-1, so plain RSA-OAEP falls back to OpenSSL under the GnuTLS backend (RSA-OAEP-256 is native).

Optional

• Check Library (>= 0.9.10) for unit testing
• Doxygen (>= 1.13.0) for documentation

📖 Docs and Source

🔗 Current Docs

🔗 Legacy Docs v2.1.1

🔗 GitHub Repo

📦 Pre-built Packages

LibJWT is available in most Linux distributions as well as through Homebrew for Linux, macOS, and Windows.

🔨 Build Instructions

With CMake:

$ mkdir build
$ cd build
$ cmake ..
$ make