{"id":14831,"library":"pyjwkest","title":"pyjwkest: JSON Web Key (JWK) / Token (JWT) library","description":"pyjwkest is a Python implementation of JSON Web Token (JWT), JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Key (JWK) specifications. Currently at version 1.4.4, the library is in maintenance mode, meaning only security-critical bugs will be fixed, and no new features are planned. Releases are infrequent, focusing on stability and security.","status":"maintenance","version":"1.4.4","language":"en","source_language":"en","source_url":"https://github.com/IdentityPython/pyjwkest","tags":["jwt","jws","jwe","jwk","cryptography","security","oauth2","openid-connect"],"install":[{"cmd":"pip install pyjwkest","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Provides underlying cryptographic primitives for JWT, JWS, JWE operations.","package":"pycryptodomex","optional":false},{"reason":"Used for ASN.1 parsing, relevant for cryptographic operations, especially with certificates.","package":"pyasn1","optional":false},{"reason":"Provides additional ASN.1 modules, extending pyasn1's capabilities for crypto.","package":"pyasn1_modules","optional":false}],"imports":[{"symbol":"JWT","correct":"from jwkest.jwt import JWT"},{"symbol":"JWS","correct":"from jwkest.jws import JWS"},{"symbol":"JWE","correct":"from jwkest.jwe import JWE"},{"symbol":"RSAKey","correct":"from jwkest.jwk import RSAKey"},{"symbol":"ECKey","correct":"from jwkest.jwk import ECKey"},{"symbol":"symKey","correct":"from jwkest.jwk import symKey"},{"symbol":"generate_key","correct":"from jwkest.jwk import generate_key"}],"quickstart":{"code":"import json\nfrom jwkest.jwk import RSAKey, generate_key\nfrom jwkest.jws import JWS\n\n# 1. Generate an RSA key pair for signing and verification\nprint(\"Generating RSA key pair...\")\nrsa_key = generate_key(alg='RS256', size=2048)\nprivate_jwk = rsa_key.export_private()\npublic_jwk = rsa_key.export_public()\n\nprint(\"Private JWK (fragment):\", {k: v for k, v in private_jwk.items() if k != 'd' and len(str(v)) < 50})\nprint(\"Public JWK (fragment):\", {k: v for k, v in public_jwk.items() if len(str(v)) < 50})\n\n# 2. Define JWT claims\nclaims = {\n    \"iss\": \"example.com\",\n    \"aud\": \"client.example.org\",\n    \"sub\": \"user123\",\n    \"exp\": 1893456000 # January 1, 2030\n}\nprint(\"\\nClaims to sign:\", claims)\n\n# 3. Create a JWS object and sign the claims\n_jws_signer = JWS(json.dumps(claims))\nsigned_jwt = _jws_signer.sign(private_jwk)\nprint(\"\\nSigned JWT:\", signed_jwt)\n\n# 4. Verify the JWT using the public key\nprint(\"\\nVerifying JWT...\")\n_jws_verifier = JWS(signed_jwt)\ntry:\n    # Pass the public key for verification\n    verified_payload_str = _jws_verifier.verify(jwk=public_jwk)\n    verified_payload = json.loads(verified_payload_str)\n    print(\"Verification successful!\")\n    print(\"Verified payload:\", verified_payload)\nexcept Exception as e:\n    print(f\"Verification failed: {e}\")\n","lang":"python","description":"This quickstart demonstrates how to generate an RSA key pair, sign a set of claims into a JSON Web Token (JWT) using JWS, and then verify the signed JWT using the public key. It covers the basic flow for secure data exchange."},"warnings":[{"fix":"Upgrade to pyjwkest >= 1.2.0 and ensure `pycryptodomex` is installed. Remove any direct `pycrypto` dependencies or usage.","message":"The underlying cryptographic library changed from `pycrypto` to `pycryptodomex` in versions 1.1.0 and 1.2.0. Direct imports or assumptions about the crypto backend from `pycrypto` will break.","severity":"breaking","affected_versions":"<=1.0.10"},{"fix":"Consider this status when starting new projects or evaluating long-term support. Monitor for security updates, but don't expect feature enhancements.","message":"The `pyjwkest` library is officially in maintenance mode. This means only security-critical bugs will be addressed, and no new features or significant development are planned. Users should be aware of this for long-term project planning.","severity":"gotcha","affected_versions":">=1.4.4"},{"fix":"Upgrade to pyjwkest 1.4.4 or newer to leverage fixes that address these deprecated APIs.","message":"Older versions of pyjwkest (before 1.4.4) may use deprecated `array.tostring` and `array.tobytes` APIs, which can lead to warnings or errors in newer Python environments.","severity":"deprecated","affected_versions":"<1.4.4"},{"fix":"Upgrade to pyjwkest 1.4.4 to benefit from improved error handling and support for EC key deserialization. Always ensure EC keys conform to standard formats.","message":"Deserialization of EC (Elliptic Curve) keys can be problematic in older versions, specifically if the keys use unsupported curves or malformed formats, leading to exceptions.","severity":"gotcha","affected_versions":"<1.4.4"},{"fix":"Upgrade to pyjwkest 1.3.2 or newer, especially if your application uses symmetric keys. Re-evaluate any existing symmetric keys generated with older versions.","message":"Version 1.3.2 fixed a major problem in symmetric key construction. Code relying on symmetric keys from versions before 1.3.2 might generate incorrect or insecure keys.","severity":"breaking","affected_versions":"<1.3.2"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z","problems":[],"ecosystem":"pypi"}