tessl/pypi-python-jose
JOSE implementation in Python providing JWT, JWS, JWE, and JWK functionality with multiple cryptographic backends.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-python-jose@3.5.0index.mddocs/
python-jose
A comprehensive Python library implementing the JOSE (JavaScript Object Signing and Encryption) technologies, including JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. The library provides multiple cryptographic backends for flexibility and security, with support for a wide range of algorithms and key formats.
Package Information
- Package Name: python-jose
- Package Type: pypi
- Language: Python
- Installation:
pip install python-jose[cryptography]
Core Imports
from jose import jwt, jws, jwe, jwk
from jose.constants import ALGORITHMS
from jose.exceptions import JOSEError, JWTError, JWSError, JWEError, ExpiredSignatureErrorIndividual module imports:
from jose.jwt import encode, decode, get_unverified_header, get_unverified_claims
from jose.jws import sign, verify, get_unverified_header, get_unverified_claims
from jose.jwe import encrypt, decrypt, get_unverified_header
from jose.jwk import construct, get_keyBasic Usage
from jose import jwt
from jose.constants import ALGORITHMS
# Encode a JWT
token = jwt.encode({'user': 'john', 'exp': 1234567890}, 'secret', algorithm=ALGORITHMS.HS256)
# Decode and verify a JWT
claims = jwt.decode(token, 'secret', algorithms=[ALGORITHMS.HS256])
print(claims) # {'user': 'john', 'exp': 1234567890}
# Handle different key formats
rsa_key = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----"""
token = jwt.encode({'user': 'jane'}, rsa_key, algorithm=ALGORITHMS.RS256)
claims = jwt.decode(token, rsa_key, algorithms=[ALGORITHMS.RS256])Architecture
The python-jose library is organized into four main functional areas:
- JWT Module: High-level JSON Web Token operations with automatic claim validation
- JWS Module: Low-level JSON Web Signature operations for signing and verification
- JWE Module: JSON Web Encryption operations for content encryption and decryption
- JWK Module: JSON Web Key management for handling various key formats and types
The library supports multiple cryptographic backends (cryptography, pycryptodome, native-python) and automatically selects the most secure available backend, with pyca/cryptography being preferred for production use.
Capabilities
JWT Operations
High-level JSON Web Token functionality for encoding, decoding, and validating JWT tokens with comprehensive claim validation and flexible key handling.
def encode(claims, key, algorithm=ALGORITHMS.HS256, headers=None, access_token=None):
"""
Encodes a claims set and returns a JWT string.
Args:
claims (dict): A claims set to sign
key (str or dict): The key to use for signing
algorithm (str): The algorithm to use for signing (default: HS256)
headers (dict, optional): Additional headers
access_token (str, optional): For 'at_hash' claim calculation
Returns:
str: The JWT token string
"""
def decode(token, key, algorithms=None, options=None, audience=None, issuer=None, subject=None, access_token=None):
"""
Decodes and verifies a JWT token.
Args:
token (str): The JWT token to decode
key (str or dict or list): The verification key(s)
algorithms (str or list): Allowed algorithms for verification
options (dict, optional): Verification options
audience (str, optional): Expected audience claim
issuer (str or list, optional): Expected issuer claim(s)
subject (str, optional): Expected subject claim
access_token (str, optional): For 'at_hash' verification
Returns:
dict: The decoded payload claims
"""
def get_unverified_header(token):
"""Get JWT header without verification."""
def get_unverified_claims(token):
"""Get JWT payload claims without verification."""JWS Operations
Low-level JSON Web Signature functionality for signing payloads and verifying signatures with support for multiple algorithms and key formats.
def sign(payload, key, headers=None, algorithm='HS256'):
"""
Signs a payload and returns a JWS string.
Args:
payload (str or dict): A payload to sign
key (str or dict): The key to use for signing
headers (dict, optional): Additional headers
algorithm (str): The algorithm to use for signing
Returns:
bytes: The JWS token
"""
def verify(token, key, algorithms, verify=True):
"""
Verifies a JWS token and returns the payload.
Args:
token (str or bytes): The JWS token to verify
key (str or dict or list): The verification key(s)
algorithms (str or list): Allowed verification algorithms
verify (bool): Whether to verify the signature
Returns:
bytes: The verified payload
"""
def get_unverified_header(token):
"""Get JWS header without verification."""
def get_unverified_claims(token):
"""Get JWS payload without verification."""JWE Operations
JSON Web Encryption functionality for encrypting and decrypting content using various encryption algorithms and key management methods.
def encrypt(plaintext, key, encryption='A256GCM', algorithm='dir', zip=None, cty=None, kid=None):
"""
Encrypts plaintext and returns a JWE string.
Args:
plaintext (bytes): Data to encrypt
key (str or bytes): The encryption key
encryption (str): Content encryption algorithm (default: A256GCM)
algorithm (str): Key encryption algorithm (default: dir)
zip (str, optional): Compression algorithm
cty (str, optional): Content type header
kid (str, optional): Key ID header
Returns:
bytes: The JWE token
"""
def decrypt(jwe_str, key):
"""
Decrypts JWE token and returns plaintext.
Args:
jwe_str (str or bytes): The JWE token to decrypt
key (str or bytes): The decryption key
Returns:
bytes: The decrypted plaintext
"""
def get_unverified_header(jwe_str):
"""Get JWE header without verification."""JWK Management
JSON Web Key functionality for constructing, managing, and converting between different key formats and representations.
def construct(key_data, algorithm=None):
"""
Constructs a JWK from key data.
Args:
key_data (str or bytes or dict): The key material or JWK dict
algorithm (str, optional): Algorithm specification
Returns:
Key: The constructed key object
"""
def get_key(algorithm):
"""
Get key class for algorithm.
Args:
algorithm (str): The algorithm name
Returns:
type or None: The key class or None if not found
"""
class Key:
"""Base key class for all key implementations."""
def sign(self, msg):
"""Sign a message (abstract method)."""
def verify(self, msg, sig):
"""Verify a signature (abstract method)."""Constants and Algorithms
Core algorithm constants and configuration options used throughout the JOSE implementations.
# Digital Signature Algorithms
ALGORITHMS.HS256 # HMAC SHA-256
ALGORITHMS.HS384 # HMAC SHA-384
ALGORITHMS.HS512 # HMAC SHA-512
ALGORITHMS.RS256 # RSA PKCS#1 SHA-256
ALGORITHMS.RS384 # RSA PKCS#1 SHA-384
ALGORITHMS.RS512 # RSA PKCS#1 SHA-512
ALGORITHMS.ES256 # ECDSA P-256 SHA-256
ALGORITHMS.ES384 # ECDSA P-384 SHA-384
ALGORITHMS.ES512 # ECDSA P-521 SHA-512
# Content Encryption Algorithms
ALGORITHMS.A128GCM # AES-128-GCM
ALGORITHMS.A192GCM # AES-192-GCM
ALGORITHMS.A256GCM # AES-256-GCM
ALGORITHMS.A128CBC_HS256 # AES-128-CBC + HMAC-SHA-256
ALGORITHMS.A192CBC_HS384 # AES-192-CBC + HMAC-SHA-384
ALGORITHMS.A256CBC_HS512 # AES-256-CBC + HMAC-SHA-512
# Key Encryption Algorithms
ALGORITHMS.DIR # Direct encryption
ALGORITHMS.RSA1_5 # RSA PKCS#1 v1.5
ALGORITHMS.RSA_OAEP # RSA OAEP
ALGORITHMS.A128KW # AES-128 Key Wrap
ALGORITHMS.A192KW # AES-192 Key Wrap
ALGORITHMS.A256KW # AES-256 Key WrapError Handling
The library provides specific exception types for different error conditions:
class JOSEError(Exception):
"""Base exception for all JOSE errors."""
class JWTError(JOSEError):
"""JWT-specific errors."""
class JWSError(JOSEError):
"""JWS-specific errors."""
class JWEError(JOSEError):
"""JWE-specific errors."""
class JWKError(JOSEError):
"""JWK-specific errors."""
class ExpiredSignatureError(JWTError):
"""JWT expired signature errors."""Common error handling patterns:
from jose import jwt
from jose.exceptions import JWTError, ExpiredSignatureError
try:
claims = jwt.decode(token, key, algorithms=['HS256'])
except ExpiredSignatureError:
print("Token has expired")
except JWTError as e:
print(f"Token validation failed: {e}")