{"id":2828,"library":"types-jwcrypto","title":"Typing stubs for jwcrypto (types-jwcrypto)","description":"types-jwcrypto provides static type annotations for the jwcrypto library, enabling type checkers like Mypy and Pyright to validate code that uses jwcrypto. jwcrypto is a Python implementation of the JOSE (Javascript Object Signing and Encryption) Web Standards, including JWK, JWS, JWE, and JWT, and leverages the Cryptography package for its cryptographic operations. This stub package is part of the typeshed project and is released automatically, often daily. The current version is 1.5.7.20260409, targeting jwcrypto==1.5.*.","status":"active","version":"1.5.7.20260409","language":"en","source_language":"en","source_url":"https://github.com/python/typeshed","tags":["typing","stubs","jwcrypto","JOSE","JWT","JWS","JWE","JWK","security"],"install":[{"cmd":"pip install types-jwcrypto jwcrypto","lang":"bash","label":"Install stubs and runtime library"}],"dependencies":[{"reason":"Provides type stubs for this library.","package":"jwcrypto","optional":false},{"reason":"Runtime dependency of jwcrypto for cryptographic functions.","package":"cryptography","optional":false}],"imports":[{"symbol":"JWK","correct":"from jwcrypto.jwk import JWK"},{"symbol":"JWS","correct":"from jwcrypto.jws import JWS"},{"symbol":"JWE","correct":"from jwcrypto.jwe import JWE"},{"symbol":"JWT","correct":"from jwcrypto.jwt import JWT"}],"quickstart":{"code":"from jwcrypto import jwk, jwt\nimport json\n\n# 1. Generate a symmetric key\nkey = jwk.JWK.generate(kty='oct', size=256)\n\n# 2. Define claims (payload)\nclaims = {\n    'iss': 'my-app',\n    'aud': 'your-service',\n    'sub': 'user123',\n    'exp': 1678886400  # Example expiration time (Unix timestamp)\n}\n\n# 3. Create a JWT object with header and claims\ntoken = jwt.JWT(header={'alg': 'HS256'}, claims=claims)\n\n# 4. Sign the token\ntoken.make_signed_token(key)\n\n# 5. Serialize the token to a compact string\ncompact_token = token.serialize()\nprint(f\"Generated JWT: {compact_token}\")\n\n# 6. Deserialize and validate the token\n# In a real application, you would receive 'compact_token' from a client\n# and validate it with a trusted key.\n\ndecoded_token = jwt.JWT(jwt=compact_token, key=key)\n# No explicit validate() call needed if key is provided during instantiation\n# However, it's good practice to call it if you deserialize without a key first.\n# decoded_token.validate(key) # This can be used if `jwt` was created without `key`\n\nprint(f\"Decoded claims: {json.dumps(json.loads(decoded_token.claims), indent=2)}\")\n","lang":"python","description":"This quickstart demonstrates how to generate a symmetric key, create claims, sign a JSON Web Token (JWT) using that key, serialize it into its compact form, and then deserialize and validate it. For asymmetric keys (RSA, EC), the key generation and signing steps would differ slightly, requiring separate public/private key components."},"warnings":[{"fix":"Explicitly set the `expect_type` argument (e.g., `jwt.JWT(jwt=token_str, key=public_key, expect_type='JWS')`) or ensure your application handles the new validation exceptions. Refactor code to avoid relying on implicit type detection.","message":"jwcrypto versions 1.4.x introduced breaking changes to JWT validation (CVE-2022-3102 fix). The `JWT` constructor and `validate` method now include an `expect_type` argument, defaulting to 'JWS' or 'JWE' based on context. If the token type doesn't match the expected type, an `InvalidJWSToken` or `InvalidJWEToken` exception is raised. An optional `born-deprecated` module-level variable can temporarily restore old behavior, but its use is strongly discouraged due to security implications.","severity":"breaking","affected_versions":"jwcrypto>=1.4.0"},{"fix":"Avoid using `RSA1_5` for encryption or signing. Migrate to more secure algorithms like `RSA-OAEP` for encryption or `RSASSA-PSS` for signing, which are generally recommended by the JOSE standards.","message":"The `RSA1_5` algorithm is considered deprecated in jwcrypto due to known security vulnerabilities (Bleichenbacher RSA padding oracle attack). Using it can lead to severe issues like decryption of intercepted messages or forged signatures.","severity":"deprecated","affected_versions":"jwcrypto>=1.0.0"},{"fix":"Upgrade the underlying `jwcrypto` library to version 1.5.6 or higher. The `types-jwcrypto` package targets `jwcrypto==1.5.*`, so ensuring `jwcrypto` is updated within that minor version range is crucial.","message":"jwcrypto versions prior to 1.5.6 were vulnerable to a Denial of Service (DoS) attack (CVE-2024-28102) where a malicious JWE token with a high compression ratio could consume excessive memory and processing time. This could impact application availability.","severity":"breaking","affected_versions":"jwcrypto<1.5.6"},{"fix":"It is best practice to keep the version of `types-jwcrypto` synchronized with the minor version of your `jwcrypto` dependency. Pin your `types-jwcrypto` dependency to match the `jwcrypto` minor version (e.g., `types-jwcrypto~=1.5.0` if `jwcrypto~=1.5.0`) and regularly update both, verifying with your type checker.","message":"Typeshed stub package versions (like types-jwcrypto) typically encode the upstream library's major and minor version, followed by a calendar version (e.g., `1.5.0.20260402` for `jwcrypto==1.5.*`). This means that `types-jwcrypto` may not precisely track patch versions of `jwcrypto` that introduce API changes or bug fixes relevant to typing. Discrepancies between the exact runtime version and stub version can lead to type-checking errors.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}