@oari/jose 0.0.0

package/dist/types/jws/general/sign.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Signing JSON Web Signature (JWS) in General JSON Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/** Used to build General JWS object's individual signatures. */
+export interface Signature {
+    /**
+     * Sets the JWS Protected Header on the Signature object.
+     *
+     * @param protectedHeader JWS Protected Header.
+     */
+    setProtectedHeader(protectedHeader: types.JWSHeaderParameters): Signature;
+    /**
+     * Sets the JWS Unprotected Header on the Signature object.
+     *
+     * @param unprotectedHeader JWS Unprotected Header.
+     */
+    setUnprotectedHeader(unprotectedHeader: types.JWSHeaderParameters): Signature;
+    /** A shorthand for calling addSignature() on the enclosing {@link GeneralSign} instance */
+    addSignature(...args: Parameters<GeneralSign['addSignature']>): Signature;
+    /** A shorthand for calling encrypt() on the enclosing {@link GeneralSign} instance */
+    sign(...args: Parameters<GeneralSign['sign']>): Promise<types.GeneralJWS>;
+    /** Returns the enclosing {@link GeneralSign} instance */
+    done(): GeneralSign;
+}
+/**
+ * The GeneralSign class is used to build and sign General JWS objects.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jws/general/sign'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jws = await new jose.GeneralSign(
+ *   new TextEncoder().encode('It’s a dangerous business, Frodo, going out your door.'),
+ * )
+ *   .addSignature(ecPrivateKey)
+ *   .setProtectedHeader({ alg: 'ES256' })
+ *   .addSignature(rsaPrivateKey)
+ *   .setProtectedHeader({ alg: 'PS256' })
+ *   .sign()
+ *
+ * console.log(jws)
+ * ```
+ */
+export declare class GeneralSign {
+    #private;
+    /**
+     * {@link GeneralSign} constructor
+     *
+     * @param payload Binary representation of the payload to sign.
+     */
+    constructor(payload: Uint8Array);
+    /**
+     * Adds an additional signature for the General JWS object.
+     *
+     * @param key Private Key or Secret to sign the individual JWS signature with. See
+     *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+     * @param options JWS Sign options.
+     */
+    addSignature(key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.SignOptions): Signature;
+    /** Signs and resolves the value of the General JWS object. */
+    sign(): Promise<types.GeneralJWS>;
+}

package/dist/types/jws/general/verify.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Verifying JSON Web Signature (JWS) in General JSON Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * Interface for General JWS Verification dynamic key resolution. No token components have been
+ * verified at the time of this function call.
+ *
+ * @see {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} to verify using a remote JSON Web Key Set.
+ */
+export interface GeneralVerifyGetKey extends types.GenericGetKeyFunction<types.JWSHeaderParameters, types.FlattenedJWSInput, types.CryptoKey | types.KeyObject | types.JWK | Uint8Array> {
+}
+/**
+ * Verifies the signature and format of and afterwards decodes the General JWS.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jws/general/verify'`.
+ *
+ * > [!NOTE]\
+ * > The function iterates over the `signatures` array in the General JWS and returns the verification
+ * > result of the first signature entry that can be successfully verified. The result only contains
+ * > the payload, protected header, and unprotected header of that successfully verified signature
+ * > entry. Other signature entries in the General JWS are not validated, and their headers are not
+ * > included in the returned result. Recipients of a General JWS should only rely on the returned
+ * > (verified) data.
+ *
+ * @example
+ *
+ * ```js
+ * const jws = {
+ *   payload: 'SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4',
+ *   signatures: [
+ *     {
+ *       signature:
+ *         'FVVOXwj6kD3DqdfD9yYqfT2W9jv-Nop4kOehp_DeDGNB5dQNSPRvntBY6xH3uxlCxE8na9d_kyhYOcanpDJ0EA',
+ *       protected: 'eyJhbGciOiJFUzI1NiJ9',
+ *     },
+ *   ],
+ * }
+ *
+ * const { payload, protectedHeader } = await jose.generalVerify(jws, publicKey)
+ *
+ * console.log(protectedHeader)
+ * console.log(new TextDecoder().decode(payload))
+ * ```
+ *
+ * @param jws General JWS.
+ * @param key Key to verify the JWS with. See
+ *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+ * @param options JWS Verify options.
+ */
+export declare function generalVerify(jws: types.GeneralJWSInput, key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.VerifyOptions): Promise<types.GeneralVerifyResult>;
+/**
+ * @param jws General JWS.
+ * @param getKey Function resolving a key to verify the JWS with. See
+ *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+ * @param options JWS Verify options.
+ */
+export declare function generalVerify(jws: types.GeneralJWSInput, getKey: GeneralVerifyGetKey, options?: types.VerifyOptions): Promise<types.GeneralVerifyResult & types.ResolvedKey>;

package/dist/types/jwt/decrypt.d.ts

@@ -0,0 +1,51 @@
+/**
+ * JSON Web Token (JWT) Decryption (JWT is in JWE format)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/** Combination of JWE Decryption options and JWT Claims Set verification options. */
+export interface JWTDecryptOptions extends types.DecryptOptions, types.JWTClaimVerificationOptions {
+}
+/**
+ * Interface for JWT Decryption dynamic key resolution. No token components have been verified at
+ * the time of this function call.
+ */
+export interface JWTDecryptGetKey extends types.GetKeyFunction<types.CompactJWEHeaderParameters, types.FlattenedJWE> {
+}
+/**
+ * Verifies the JWT format (to be a JWE Compact format), decrypts the ciphertext, validates the JWT
+ * Claims Set.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwt/decrypt'`.
+ *
+ * @example
+ *
+ * ```js
+ * const secret = jose.base64url.decode('zH4NRP1HMALxxCFnRZABFA7GOJtzU_gIj02alfL1lvI')
+ * const jwt =
+ *   'eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..MB66qstZBPxAXKdsjet_lA.WHbtJTl4taHp7otOHLq3hBvv0yNPsPEKHYInmCPdDDeyV1kU-f-tGEiU4FxlSqkqAT2hVs8_wMNiQFAzPU1PUgIqWCPsBrPP3TtxYsrtwagpn4SvCsUsx0Mhw9ZhliAO8CLmCBQkqr_T9AcYsz5uZw.7nX9m7BGUu_u1p1qFHzyIg'
+ *
+ * const { payload, protectedHeader } = await jose.jwtDecrypt(jwt, secret, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ *
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @param jwt JSON Web Token value (encoded as JWE).
+ * @param key Private Key or Secret to decrypt and verify the JWT with. See
+ *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+ * @param options JWT Decryption and JWT Claims Set validation options.
+ */
+export declare function jwtDecrypt<PayloadType = types.JWTPayload>(jwt: string | Uint8Array, key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: JWTDecryptOptions): Promise<types.JWTDecryptResult<PayloadType>>;
+/**
+ * @param jwt JSON Web Token value (encoded as JWE).
+ * @param getKey Function resolving Private Key or Secret to decrypt and verify the JWT with. See
+ *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+ * @param options JWT Decryption and JWT Claims Set validation options.
+ */
+export declare function jwtDecrypt<PayloadType = types.JWTPayload>(jwt: string | Uint8Array, getKey: JWTDecryptGetKey, options?: JWTDecryptOptions): Promise<types.JWTDecryptResult<PayloadType> & types.ResolvedKey>;

package/dist/types/jwt/encrypt.d.ts

@@ -0,0 +1,105 @@
+/**
+ * JSON Web Token (JWT) Encryption (JWT is in JWE format)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * The EncryptJWT class is used to build and encrypt Compact JWE formatted JSON Web Tokens.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jwt/encrypt'`.
+ *
+ * @example
+ *
+ * ```js
+ * const secret = jose.base64url.decode('zH4NRP1HMALxxCFnRZABFA7GOJtzU_gIj02alfL1lvI')
+ * const jwt = await new jose.EncryptJWT({ 'urn:example:claim': true })
+ *   .setProtectedHeader({ alg: 'dir', enc: 'A128CBC-HS256' })
+ *   .setIssuedAt()
+ *   .setIssuer('urn:example:issuer')
+ *   .setAudience('urn:example:audience')
+ *   .setExpirationTime('2h')
+ *   .encrypt(secret)
+ *
+ * console.log(jwt)
+ * ```
+ */
+export declare class EncryptJWT implements types.ProduceJWT {
+    #private;
+    /**
+     * {@link EncryptJWT} constructor
+     *
+     * @param payload The JWT Claims Set object. Defaults to an empty object.
+     */
+    constructor(payload?: types.JWTPayload);
+    setIssuer(issuer: string): this;
+    setSubject(subject: string): this;
+    setAudience(audience: string | string[]): this;
+    setJti(jwtId: string): this;
+    setNotBefore(input: number | string | Date): this;
+    setExpirationTime(input: number | string | Date): this;
+    setIssuedAt(input?: number | string | Date): this;
+    /**
+     * Sets the JWE Protected Header on the EncryptJWT object.
+     *
+     * @param protectedHeader JWE Protected Header. Must contain an "alg" (JWE Algorithm) and "enc"
+     *   (JWE Encryption Algorithm) properties.
+     */
+    setProtectedHeader(protectedHeader: types.CompactJWEHeaderParameters): this;
+    /**
+     * Sets the JWE Key Management parameters to be used when encrypting.
+     *
+     * (ECDH-ES) Use of this method is needed for ECDH based algorithms to set the "apu" (Agreement
+     * PartyUInfo) or "apv" (Agreement PartyVInfo) parameters.
+     *
+     * @param parameters JWE Key Management parameters.
+     */
+    setKeyManagementParameters(parameters: types.JWEKeyManagementHeaderParameters): this;
+    /**
+     * Sets a content encryption key to use, by default a random suitable one is generated for the JWE
+     * enc" (Encryption Algorithm) Header Parameter.
+     *
+     * @deprecated You should not use this method. It is only really intended for test and vector
+     *   validation purposes.
+     *
+     * @param cek JWE Content Encryption Key.
+     */
+    setContentEncryptionKey(cek: Uint8Array): this;
+    /**
+     * Sets the JWE Initialization Vector to use for content encryption, by default a random suitable
+     * one is generated for the JWE enc" (Encryption Algorithm) Header Parameter.
+     *
+     * @deprecated You should not use this method. It is only really intended for test and vector
+     *   validation purposes.
+     *
+     * @param iv JWE Initialization Vector.
+     */
+    setInitializationVector(iv: Uint8Array): this;
+    /**
+     * Replicates the "iss" (Issuer) Claim as a JWE Protected Header Parameter.
+     *
+     * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-5.3 RFC7519#section-5.3}
+     */
+    replicateIssuerAsHeader(): this;
+    /**
+     * Replicates the "sub" (Subject) Claim as a JWE Protected Header Parameter.
+     *
+     * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-5.3 RFC7519#section-5.3}
+     */
+    replicateSubjectAsHeader(): this;
+    /**
+     * Replicates the "aud" (Audience) Claim as a JWE Protected Header Parameter.
+     *
+     * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-5.3 RFC7519#section-5.3}
+     */
+    replicateAudienceAsHeader(): this;
+    /**
+     * Encrypts and returns the JWT.
+     *
+     * @param key Public Key or Secret to encrypt the JWT with. See
+     *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+     * @param options JWE Encryption options.
+     */
+    encrypt(key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.EncryptOptions): Promise<string>;
+}

package/dist/types/jwt/sign.d.ts

@@ -0,0 +1,140 @@
+/**
+ * JSON Web Token (JWT) Signing (JWT is in JWS format)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * The SignJWT class is used to build and sign Compact JWS formatted JSON Web Tokens.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jwt/sign'`.
+ *
+ * @example
+ *
+ * Usage with a symmetric secret
+ *
+ * ```js
+ * const secret = new TextEncoder().encode(
+ *   'cc7e0d44fd473002f1c42167459001140ec6389b7353f8088f4d9a95f2f596f2',
+ * )
+ * const alg = 'HS256'
+ *
+ * const jwt = await new jose.SignJWT({ 'urn:example:claim': true })
+ *   .setProtectedHeader({ alg })
+ *   .setIssuedAt()
+ *   .setIssuer('urn:example:issuer')
+ *   .setAudience('urn:example:audience')
+ *   .setExpirationTime('2h')
+ *   .sign(secret)
+ *
+ * console.log(jwt)
+ * ```
+ *
+ * @example
+ *
+ * Usage with a private PKCS#8 encoded RSA key
+ *
+ * ```js
+ * const alg = 'RS256'
+ * const pkcs8 = `-----BEGIN PRIVATE KEY-----
+ * MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCFg4UrY5xtulv
+ * /NXKmL1J4qI1SopAfTNMo3X7p+kJO7plqUYjzaztcre1qfh0m33Sm1Q8oPbO/GpP
+ * MU1/HgcceytgJ/b4UwufVVMl9BrMDYG8moDBylbVupFQS3Ly1L9i/iFG9Z9A9xzY
+ * Zzf799A45bnvNXL6s2glzvjiRvfQ2NDF0anTcnZLcYtC7ugq1IMM+ihAcPfw8Qw2
+ * chN/SmP4qAM+PKaQwagmU7doqmmyN9u38AfoYZ1GCFhEs5TBBT6H6h9YdHeVtiIq
+ * 1c+fl03biSIfLrV7dUBD39gBmXBcL/30Ya3D82mCEUC4zg/UkOfQOmkmV3Lc8YUL
+ * QZ8EJkBLAgMBAAECggEAVuVE/KEP6323WjpbBdAIv7HGahGrgGANvbxZsIhm34ls
+ * VOPK0XDegZkhAybMZHjRhp+gwVxX5ChC+J3cUpOBH5FNxElgW6HizD2Jcq6t6LoL
+ * YgPSrfEHm71iHg8JsgrqfUnGYFzMJmv88C6WdCtpgG/qJV1K00/Ly1G1QKoBffEs
+ * +v4fAMJrCbUdCz1qWto+PU+HLMEo+krfEpGgcmtZeRlDADh8cETMQlgQfQX2VWq/
+ * aAP4a1SXmo+j0cvRU4W5Fj0RVwNesIpetX2ZFz4p/JmB5sWFEj/fC7h5z2lq+6Bm
+ * e2T3BHtXkIxoBW0/pYVnASC8P2puO5FnVxDmWuHDYQKBgQDTuuBd3+0tSFVEX+DU
+ * 5qpFmHm5nyGItZRJTS+71yg5pBxq1KqNCUjAtbxR0q//fwauakh+BwRVCPOrqsUG
+ * jBSb3NYE70Srp6elqxgkE54PwQx4Mr6exJPnseM9U4K+hULllf5yjM9edreJE1nV
+ * NVgFjeyafQhrHKwgr7PERJ/ikwKBgQDqqsT1M+EJLmI1HtCspOG6cu7q3gf/wKRh
+ * E8tu84i3YyBnI8uJkKy92RNVI5fvpBARe3tjSdM25rr2rcrcmF/5g6Q9ImxZPGCt
+ * 86eOgO9ErNtbc4TEgybsP319UE4O41aKeNiBTAZKoYCxv/dMqG0j4avmWzd+foHq
+ * gSNUvR2maQKBgQCYeqOsV2B6VPY7KIVFLd0AA9/dwvEmgAYLiA/RShDI+hwQ/5jX
+ * uxDu37KAhqeC65sHLrmIMUt4Zdr+DRyZK3aIDNEAesPMjw/X6lCXYp1ZISD2yyym
+ * MFGH8X8CIkstI9Faf9vf6PJKSFrC1/HA7wq17VCwrUzLvrljTMW8meM/CwKBgCpo
+ * 2leGHLFQFKeM/iF1WuYbR1pi7gcmhY6VyTowARFDdOOu8GXYI5/bz0afvCGvAMho
+ * DJCREv7lC/zww6zCTPYG+HOj+PjXlJFba3ixjIxYwPvyEJiDK1Ge18sB7Fl8dHNq
+ * C5ayaqCqN1voWYUdGzxU2IA1E/5kVo5O8FesJeOhAoGBAImJbZFf+D5kA32Xxhac
+ * 59lLWBCsocvvbd1cvDMNlRywAAyhsCb1SuX4nEAK9mrSBdfmoF2Nm3eilfsOds0f
+ * K5mX069IKG82CMqh3Mzptd7e7lyb9lsoGO0BAtjho3cWtha/UZ70vfaMzGuZ6JmQ
+ * ak6k+8+UFd93M4z0Qo74OhXB
+ * -----END PRIVATE KEY-----`
+ * const privateKey = await jose.importPKCS8(pkcs8, alg)
+ *
+ * const jwt = await new jose.SignJWT({ 'urn:example:claim': true })
+ *   .setProtectedHeader({ alg })
+ *   .setIssuedAt()
+ *   .setIssuer('urn:example:issuer')
+ *   .setAudience('urn:example:audience')
+ *   .setExpirationTime('2h')
+ *   .sign(privateKey)
+ *
+ * console.log(jwt)
+ * ```
+ *
+ * @example
+ *
+ * Usage with a private JWK encoded RSA key
+ *
+ * ```js
+ * const alg = 'RS256'
+ * const jwk = {
+ *   kty: 'RSA',
+ *   n: 'whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4HHHsrYCf2-FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS_Yv4hRvWfQPcc2Gc3-_fQOOW57zVy-rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj-KgDPjymkMGoJlO3aKppsjfbt_AH6GGdRghYRLOUwQU-h-ofWHR3lbYiKtXPn5dN24kiHy61e3VAQ9_YAZlwXC_99GGtw_NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZASw',
+ *   e: 'AQAB',
+ *   d: 'VuVE_KEP6323WjpbBdAIv7HGahGrgGANvbxZsIhm34lsVOPK0XDegZkhAybMZHjRhp-gwVxX5ChC-J3cUpOBH5FNxElgW6HizD2Jcq6t6LoLYgPSrfEHm71iHg8JsgrqfUnGYFzMJmv88C6WdCtpgG_qJV1K00_Ly1G1QKoBffEs-v4fAMJrCbUdCz1qWto-PU-HLMEo-krfEpGgcmtZeRlDADh8cETMQlgQfQX2VWq_aAP4a1SXmo-j0cvRU4W5Fj0RVwNesIpetX2ZFz4p_JmB5sWFEj_fC7h5z2lq-6Bme2T3BHtXkIxoBW0_pYVnASC8P2puO5FnVxDmWuHDYQ',
+ *   p: '07rgXd_tLUhVRF_g1OaqRZh5uZ8hiLWUSU0vu9coOaQcatSqjQlIwLW8UdKv_38GrmpIfgcEVQjzq6rFBowUm9zWBO9Eq6enpasYJBOeD8EMeDK-nsST57HjPVOCvoVC5ZX-cozPXna3iRNZ1TVYBY3smn0IaxysIK-zxESf4pM',
+ *   q: '6qrE9TPhCS5iNR7QrKThunLu6t4H_8CkYRPLbvOIt2MgZyPLiZCsvdkTVSOX76QQEXt7Y0nTNua69q3K3Jhf-YOkPSJsWTxgrfOnjoDvRKzbW3OExIMm7D99fVBODuNWinjYgUwGSqGAsb_3TKhtI-Gr5ls3fn6B6oEjVL0dpmk',
+ *   dp: 'mHqjrFdgelT2OyiFRS3dAAPf3cLxJoAGC4gP0UoQyPocEP-Y17sQ7t-ygIanguubBy65iDFLeGXa_g0cmSt2iAzRAHrDzI8P1-pQl2KdWSEg9ssspjBRh_F_AiJLLSPRWn_b3-jySkhawtfxwO8Kte1QsK1My765Y0zFvJnjPws',
+ *   dq: 'KmjaV4YcsVAUp4z-IXVa5htHWmLuByaFjpXJOjABEUN0467wZdgjn9vPRp-8Ia8AyGgMkJES_uUL_PDDrMJM9gb4c6P4-NeUkVtreLGMjFjA-_IQmIMrUZ7XywHsWXx0c2oLlrJqoKo3W-hZhR0bPFTYgDUT_mRWjk7wV6wl46E',
+ *   qi: 'iYltkV_4PmQDfZfGFpzn2UtYEKyhy-9t3Vy8Mw2VHLAADKGwJvVK5ficQAr2atIF1-agXY2bd6KV-w52zR8rmZfTr0gobzYIyqHczOm13t7uXJv2WygY7QEC2OGjdxa2Fr9RnvS99ozMa5nomZBqTqT7z5QV33czjPRCjvg6FcE',
+ * }
+ * const privateKey = await jose.importJWK(jwk, alg)
+ *
+ * const jwt = await new jose.SignJWT({ 'urn:example:claim': true })
+ *   .setProtectedHeader({ alg })
+ *   .setIssuedAt()
+ *   .setIssuer('urn:example:issuer')
+ *   .setAudience('urn:example:audience')
+ *   .setExpirationTime('2h')
+ *   .sign(privateKey)
+ *
+ * console.log(jwt)
+ * ```
+ */
+export declare class SignJWT implements types.ProduceJWT {
+    #private;
+    /**
+     * {@link SignJWT} constructor
+     *
+     * @param payload The JWT Claims Set object. Defaults to an empty object.
+     */
+    constructor(payload?: types.JWTPayload);
+    setIssuer(issuer: string): this;
+    setSubject(subject: string): this;
+    setAudience(audience: string | string[]): this;
+    setJti(jwtId: string): this;
+    setNotBefore(input: number | string | Date): this;
+    setExpirationTime(input: number | string | Date): this;
+    setIssuedAt(input?: number | string | Date): this;
+    /**
+     * Sets the JWS Protected Header on the SignJWT object.
+     *
+     * @param protectedHeader JWS Protected Header. Must contain an "alg" (JWS Algorithm) property.
+     */
+    setProtectedHeader(protectedHeader: types.JWTHeaderParameters): this;
+    /**
+     * Signs and returns the JWT.
+     *
+     * @param key Private Key or Secret to sign the JWT with. See
+     *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+     * @param options JWT Sign options.
+     */
+    sign(key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.SignOptions): Promise<string>;
+}

package/dist/types/jwt/unsecured.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Unsecured (unsigned & unencrypted) JSON Web Tokens (JWT)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/** Result of decoding an Unsecured JWT. */
+export interface UnsecuredResult<PayloadType = types.JWTPayload> {
+    payload: PayloadType & types.JWTPayload;
+    header: types.JWSHeaderParameters;
+}
+/**
+ * The UnsecuredJWT class is a utility for dealing with `{ "alg": "none" }` Unsecured JWTs.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jwt/unsecured'`.
+ *
+ * @example
+ *
+ * Encoding
+ *
+ * ```js
+ * const unsecuredJwt = new jose.UnsecuredJWT({ 'urn:example:claim': true })
+ *   .setIssuedAt()
+ *   .setIssuer('urn:example:issuer')
+ *   .setAudience('urn:example:audience')
+ *   .setExpirationTime('2h')
+ *   .encode()
+ *
+ * console.log(unsecuredJwt)
+ * ```
+ *
+ * @example
+ *
+ * Decoding
+ *
+ * ```js
+ * const payload = jose.UnsecuredJWT.decode(unsecuredJwt, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ *
+ * console.log(payload)
+ * ```
+ */
+export declare class UnsecuredJWT implements types.ProduceJWT {
+    #private;
+    /**
+     * {@link UnsecuredJWT} constructor
+     *
+     * @param payload The JWT Claims Set object. Defaults to an empty object.
+     */
+    constructor(payload?: types.JWTPayload);
+    /** Encodes the Unsecured JWT. */
+    encode(): string;
+    setIssuer(issuer: string): this;
+    setSubject(subject: string): this;
+    setAudience(audience: string | string[]): this;
+    setJti(jwtId: string): this;
+    setNotBefore(input: number | string | Date): this;
+    setExpirationTime(input: number | string | Date): this;
+    setIssuedAt(input?: number | string | Date): this;
+    /**
+     * Decodes an unsecured JWT.
+     *
+     * @param jwt Unsecured JWT to decode the payload of.
+     * @param options JWT Claims Set validation options.
+     */
+    static decode<PayloadType = types.JWTPayload>(jwt: string, options?: types.JWTClaimVerificationOptions): UnsecuredResult<PayloadType>;
+}

package/dist/types/jwt/verify.d.ts

@@ -0,0 +1,124 @@
+/**
+ * JSON Web Token (JWT) Verification (JWT is in JWS format)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/** Combination of JWS Verification options and JWT Claims Set verification options. */
+export interface JWTVerifyOptions extends types.VerifyOptions, types.JWTClaimVerificationOptions {
+}
+/**
+ * Interface for JWT Verification dynamic key resolution. No token components have been verified at
+ * the time of this function call.
+ *
+ * @see {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} to verify using a remote JSON Web Key Set.
+ */
+export interface JWTVerifyGetKey extends types.GenericGetKeyFunction<types.JWTHeaderParameters, types.FlattenedJWSInput, types.CryptoKey | types.KeyObject | types.JWK | Uint8Array> {
+}
+/**
+ * Verifies the JWT format (to be a JWS Compact format), verifies the JWS signature, validates the
+ * JWT Claims Set.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwt/verify'`.
+ *
+ * @example
+ *
+ * Usage with a symmetric secret
+ *
+ * ```js
+ * const secret = new TextEncoder().encode(
+ *   'cc7e0d44fd473002f1c42167459001140ec6389b7353f8088f4d9a95f2f596f2',
+ * )
+ * const jwt =
+ *   'eyJhbGciOiJIUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjY5MDU2MjMxLCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.C4iSlLfAUMBq--wnC6VqD9gEOhwpRZpoRarE0m7KEnI'
+ *
+ * const { payload, protectedHeader } = await jose.jwtVerify(jwt, secret, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ *
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @example
+ *
+ * Usage with a public SPKI encoded RSA key
+ *
+ * ```js
+ * const alg = 'RS256'
+ * const spki = `-----BEGIN PUBLIC KEY-----
+ * MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9
+ * SeKiNUqKQH0zTKN1+6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4H
+ * HHsrYCf2+FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS/Yv4hRvWfQPcc2Gc3+/fQ
+ * OOW57zVy+rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj
+ * +KgDPjymkMGoJlO3aKppsjfbt/AH6GGdRghYRLOUwQU+h+ofWHR3lbYiKtXPn5dN
+ * 24kiHy61e3VAQ9/YAZlwXC/99GGtw/NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZA
+ * SwIDAQAB
+ * -----END PUBLIC KEY-----`
+ * const publicKey = await jose.importSPKI(spki, alg)
+ * const jwt =
+ *   'eyJhbGciOiJSUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjY5MDU2NDg4LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.gXrPZ3yM_60dMXGE69dusbpzYASNA-XIOwsb5D5xYnSxyj6_D6OR_uR_1vqhUm4AxZxcrH1_-XJAve9HCw8az_QzHcN-nETt-v6stCsYrn6Bv1YOc-mSJRZ8ll57KVqLbCIbjKwerNX5r2_Qg2TwmJzQdRs-AQDhy-s_DlJd8ql6wR4n-kDZpar-pwIvz4fFIN0Fj57SXpAbLrV6Eo4Byzl0xFD8qEYEpBwjrMMfxCZXTlAVhAq6KCoGlDTwWuExps342-0UErEtyIqDnDGcrfNWiUsoo8j-29IpKd-w9-C388u-ChCxoHz--H8WmMSZzx3zTXsZ5lXLZ9IKfanDKg'
+ *
+ * const { payload, protectedHeader } = await jose.jwtVerify(jwt, publicKey, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ *
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @example
+ *
+ * Usage with a public JWK encoded RSA key
+ *
+ * ```js
+ * const alg = 'RS256'
+ * const jwk = {
+ *   kty: 'RSA',
+ *   n: 'whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4HHHsrYCf2-FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS_Yv4hRvWfQPcc2Gc3-_fQOOW57zVy-rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj-KgDPjymkMGoJlO3aKppsjfbt_AH6GGdRghYRLOUwQU-h-ofWHR3lbYiKtXPn5dN24kiHy61e3VAQ9_YAZlwXC_99GGtw_NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZASw',
+ *   e: 'AQAB',
+ * }
+ * const publicKey = await jose.importJWK(jwk, alg)
+ * const jwt =
+ *   'eyJhbGciOiJSUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjY5MDU2NDg4LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.gXrPZ3yM_60dMXGE69dusbpzYASNA-XIOwsb5D5xYnSxyj6_D6OR_uR_1vqhUm4AxZxcrH1_-XJAve9HCw8az_QzHcN-nETt-v6stCsYrn6Bv1YOc-mSJRZ8ll57KVqLbCIbjKwerNX5r2_Qg2TwmJzQdRs-AQDhy-s_DlJd8ql6wR4n-kDZpar-pwIvz4fFIN0Fj57SXpAbLrV6Eo4Byzl0xFD8qEYEpBwjrMMfxCZXTlAVhAq6KCoGlDTwWuExps342-0UErEtyIqDnDGcrfNWiUsoo8j-29IpKd-w9-C388u-ChCxoHz--H8WmMSZzx3zTXsZ5lXLZ9IKfanDKg'
+ *
+ * const { payload, protectedHeader } = await jose.jwtVerify(jwt, publicKey, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ *
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @param jwt JSON Web Token value (encoded as JWS).
+ * @param key Key to verify the JWT with. See
+ *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+ * @param options JWT Decryption and JWT Claims Set validation options.
+ */
+export declare function jwtVerify<PayloadType = types.JWTPayload>(jwt: string | Uint8Array, key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: JWTVerifyOptions): Promise<types.JWTVerifyResult<PayloadType>>;
+/**
+ * @example
+ *
+ * Usage with a public JSON Web Key Set hosted on a remote URL
+ *
+ * ```js
+ * const JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/oauth2/v3/certs'))
+ *
+ * const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
+ *   issuer: 'urn:example:issuer',
+ *   audience: 'urn:example:audience',
+ * })
+ * console.log(protectedHeader)
+ * console.log(payload)
+ * ```
+ *
+ * @param jwt JSON Web Token value (encoded as JWS).
+ * @param getKey Function resolving a key to verify the JWT with. See
+ *   {@link https://github.com/panva/jose/issues/210#jws-alg Algorithm Key Requirements}.
+ * @param options JWT Decryption and JWT Claims Set validation options.
+ */
+export declare function jwtVerify<PayloadType = types.JWTPayload>(jwt: string | Uint8Array, getKey: JWTVerifyGetKey, options?: JWTVerifyOptions): Promise<types.JWTVerifyResult<PayloadType> & types.ResolvedKey>;

package/dist/types/key/export.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Cryptographic key export functions
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * Exports a public {@link !CryptoKey} or {@link !KeyObject} to a PEM-encoded SPKI string format.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/key/export'`.
+ *
+ * @example
+ *
+ * ```js
+ * const spkiPem = await jose.exportSPKI(publicKey)
+ *
+ * console.log(spkiPem)
+ * ```
+ *
+ * @param key Key to export to a PEM-encoded SPKI string format.
+ */
+export declare function exportSPKI(key: types.CryptoKey | types.KeyObject): Promise<string>;
+/**
+ * Exports a private {@link !CryptoKey} or {@link !KeyObject} to a PEM-encoded PKCS8 string format.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/key/export'`.
+ *
+ * @example
+ *
+ * ```js
+ * const pkcs8Pem = await jose.exportPKCS8(privateKey)
+ *
+ * console.log(pkcs8Pem)
+ * ```
+ *
+ * @param key Key to export to a PEM-encoded PKCS8 string format.
+ */
+export declare function exportPKCS8(key: types.CryptoKey | types.KeyObject): Promise<string>;
+/**
+ * Exports a {@link !CryptoKey}, {@link !KeyObject}, or {@link !Uint8Array} to a JWK.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/key/export'`.
+ *
+ * @example
+ *
+ * ```js
+ * const privateJwk = await jose.exportJWK(privateKey)
+ * const publicJwk = await jose.exportJWK(publicKey)
+ *
+ * console.log(privateJwk)
+ * console.log(publicJwk)
+ * ```
+ *
+ * @param key Key to export as JWK.
+ */
+export declare function exportJWK(key: types.CryptoKey | types.KeyObject | Uint8Array): Promise<types.JWK>;