Changelog

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

Unreleased

v2.10.1

Fixed

v2.10.0

Changed

  • Remove algorithm requirement from JWT API, instead relying on JWS API for enforcement, by @luhn in #975

  • Use Sequence for parameter types rather than List where applicable by @imnotjames in #970

  • Add JWK support to JWT encode by @luhn in #979

  • Encoding and decoding payloads using the none algorithm by @jpadilla in #c2629f6 <https://github.com/jpadilla/pyjwt/commit/c2629f66c593459e02616048443231ccbe18be16>

    Before:

    >>> import jwt
    >>> jwt.encode({"payload": "abc"}, key=None, algorithm=None)
    

    After:

    >>> import jwt
    >>> jwt.encode({"payload": "abc"}, key=None, algorithm="none")
    
  • Added validation for ‘sub’ (subject) and ‘jti’ (JWT ID) claims in tokens by @Divan009 in #1005

  • Refactor project configuration files from setup.cfg to pyproject.toml by @cleder in #995

  • Ruff linter and formatter changes by @gagandeepp in #1001

  • Drop support for Python 3.8 (EOL) by @kkirsche in #1007

Fixed

  • Encode EC keys with a fixed bit length by @etianen in #990

  • Add an RTD config file to resolve Read the Docs build failures by @kurtmckee in #977

  • Docs: Update iat exception docs by @pachewise in #974

  • Docs: Fix decode_complete scope and algorithms by @RbnRncn in #982

  • Fix doctest for docs/usage.rst by @pachewise in #986

  • Fix test_utils.py not to xfail by @pachewise in #987

  • Docs: Correct jwt.decode audience param doc expression by @peter279k in #994

Added

  • Add support for python 3.13 by @hugovk in #972

  • Create SECURITY.md by @auvipy and @jpadilla in #973

  • Docs: Add PS256 encoding and decoding usage by @peter279k in #992

  • Docs: Add API docs for PyJWK by @luhn in #980

  • Docs: Add EdDSA algorithm encoding/decoding usage by @peter279k in #993

  • Include checkers and linters for pyproject.toml in pre-commit by @cleder in #1002

  • Docs: Add ES256 decoding usage by @Gautam-Hegde in #1003 <https://github.com/jpadilla/pyjwt/pull/1003>

v2.9.0

Changed

  • Drop support for Python 3.7 (EOL) by @hugovk in #910

  • Allow JWT issuer claim validation to accept a list of strings too by @mattpollak in #913

Fixed

  • Fix unnecessary string concatenation by @sirosen in #904

  • Fix docs for jwt.decode_complete to include strict_aud option by @woodruffw in #923

  • Fix docs step by @jpadilla in #950

  • Fix: Remove an unused variable from example code block by @kenkoooo in #958

Added

  • Add support for Python 3.12 by @hugovk in #910

  • Improve performance of is_ssh_key + add unit test by @bdraco in #940

  • Allow jwt.decode() to accept a PyJWK object by @luhn in #886

  • Make algorithm_name attribute available on PyJWK by @luhn in #886

  • Raise InvalidKeyError on invalid PEM keys to be compatible with cryptography 42.x.x by @CollinEMac in #952

  • Raise an exception when required cryptography dependency is missing by @tobloef in https://github.com/jpadilla/pyjwt/pull/963

v2.8.0

Changed

  • Update python version test matrix by @auvipy in #895

Fixed

Added

  • Add strict_aud as an option to jwt.decode by @woodruffw in #902

  • Export PyJWKClientConnectionError class by @daviddavis in #887

  • Allows passing of ssl.SSLContext to PyJWKClient by @juur in #891

v2.7.0

Changed

  • Changed the error message when the token audience doesn’t match the expected audience by @irdkwmnsb #809

  • Improve error messages when cryptography isn’t installed by @Viicos in #846

  • Make Algorithm an abstract base class by @Viicos in #845

  • ignore invalid keys in a jwks by @timw6n in #863

Fixed

  • Add classifier for Python 3.11 by @eseifert in #818

  • Fix _validate_iat validation by @Viicos in #847

  • fix: use datetime.datetime.timestamp function to have a milliseconds by @daillouf #821

  • docs: correct mistake in the changelog about verify param by @gbillig in #866

Added

  • Add compute_hash_digest as a method of Algorithm objects, which uses the underlying hash algorithm to compute a digest. If there is no appropriate hash algorithm, a NotImplementedError will be raised in #775

  • Add optional headers argument to PyJWKClient. If provided, the headers will be included in requests that the client uses when fetching the JWK set by @thundercat1 in #823

  • Add PyJWT._{de,en}code_payload hooks by @akx in #829

  • Add sort_headers parameter to api_jwt.encode by @evroon in #832

  • Make mypy configuration stricter and improve typing by @akx in #830

  • Add more types by @Viicos in #843

  • Add a timeout for PyJWKClient requests by @daviddavis in #875

  • Add client connection error exception by @daviddavis in #876

  • Add complete types to take all allowed keys into account by @Viicos in #873

  • Add as_dict option to Algorithm.to_jwk by @fluxth in #881

v2.6.0

Changed

  • bump up cryptography >= 3.4.0 by @jpadilla in #807

  • Remove types-cryptography from crypto extra by @lautat in #805

Fixed

  • Invalidate token on the exact second the token expires #797

  • fix: version 2.5.0 heading typo by @c0state in #803

Added

v2.5.0

Changed

  • Skip keys with incompatible alg when loading JWKSet by @DaGuich in #762

  • Remove support for python3.6 by @sirosen in #777

  • Emit a deprecation warning for unsupported kwargs by @sirosen in #776

  • Remove redundant wheel dep from pyproject.toml by @mgorny in #765

  • Do not fail when an unusable key occurs by @DaGuich in #762

  • Update audience typing by @JulianMaurin in #782

  • Improve PyJWKSet error accuracy by @JulianMaurin in #786

  • Mypy as pre-commit check + api_jws typing by @JulianMaurin in #787

Fixed

  • Adjust expected exceptions in option merging tests for PyPy3 by @mgorny in #763

  • Fixes for pyright on strict mode by @brandon-leapyear in #747

  • docs: fix simple typo, iinstance -> isinstance by @timgates42 in #774

  • Fix typo: priot -> prior by @jdufresne in #780

  • Fix for headers disorder issue by @kadabusha in #721

Added

  • Add to_jwk static method to ECAlgorithm by @leonsmith in #732

  • Expose get_algorithm_by_name as new method by @sirosen in #773

  • Add type hints to jwt/help.py and add missing types dependency by @kkirsche in #784

  • Add cacheing functionality for JWK set by @wuhaoyujerry in #781

v2.4.0

Security

Changed

Fixed

Added

v2.3.0

Fixed

  • Revert “Remove arbitrary kwargs.” #701

Added

  • Add exception chaining #702

v2.2.0

Changed

  • Remove arbitrary kwargs. #657

  • Use timezone package as Python 3.5+ is required. #694

Fixed

  • Assume JWK without the “use” claim is valid for signing as per RFC7517 #668

  • Prefer headers[“alg”] to algorithm in jwt.encode(). #673

  • Fix aud validation to support {‘aud’: null} case. #670

  • Make typ optional in JWT to be compliant with RFC7519. #644

  • Remove upper bound on cryptography version. #693

Added

  • Add support for Ed448/EdDSA. #675

v2.1.0

Changed

  • Allow claims validation without making JWT signature validation mandatory. #608

Fixed

  • Remove padding from JWK test data. #628

  • Make kty mandatory in JWK to be compliant with RFC7517. #624

  • Allow JWK without alg to be compliant with RFC7517. #624

  • Allow to verify with private key on ECAlgorithm, as well as on Ed25519Algorithm. #645

Added

  • Add caching by default to PyJWKClient #611

  • Add missing exceptions.InvalidKeyError to jwt module __init__ imports #620

  • Add support for ES256K algorithm #629

  • Add from_jwk() to Ed25519Algorithm #621

  • Add to_jwk() to Ed25519Algorithm #643

  • Export PyJWK and PyJWKSet #652

v2.0.1

Changed

  • Rename CHANGELOG.md to CHANGELOG.rst and include in docs #597

Fixed

  • Fix from_jwk() for all algorithms #598

Added

v2.0.0

Changed

Drop support for Python 2 and Python 3.0-3.5

Python 3.5 is EOL so we decide to drop its support. Version 1.7.1 is the last one supporting Python 3.0-3.5.

Require cryptography >= 3

Drop support for PyCrypto and ECDSA

We’ve kept this around for a long time, mostly for environments that didn’t allow installing cryptography.

Drop CLI

Dropped the included cli entry point.

Improve typings

We no longer need to use mypy Python 2 compatibility mode (comments)

jwt.encode(...) return type

Tokens are returned as string instead of a byte string

Dropped deprecated errors

Removed ExpiredSignature, InvalidAudience, and InvalidIssuer. Use ExpiredSignatureError, InvalidAudienceError, and InvalidIssuerError instead.

Dropped deprecated verify_expiration param in jwt.decode(...)

Use jwt.decode(encoded, key, algorithms=["HS256"], options={"verify_exp": False}) instead.

Dropped deprecated verify param in jwt.decode(...)

Use jwt.decode(encoded, key, options={"verify_signature": False}) instead.

Require explicit algorithms in jwt.decode(...) by default

Example: jwt.decode(encoded, key, algorithms=["HS256"]).

Dropped deprecated require_* options in jwt.decode(...)

For example, instead of jwt.decode(encoded, key, algorithms=["HS256"], options={"require_exp": True}), use jwt.decode(encoded, key, algorithms=["HS256"], options={"require": ["exp"]}).

And the old v1.x syntax jwt.decode(token, verify=False) is now: jwt.decode(jwt=token, key='secret', algorithms=['HS256'], options={"verify_signature": False})

Added

Introduce better experience for JWKs

Introduce PyJWK, PyJWKSet, and PyJWKClient.

import jwt
from jwt import PyJWKClient

token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5FRTFRVVJCT1RNNE16STVSa0ZETlRZeE9UVTFNRGcyT0Rnd1EwVXpNVGsxUWpZeVJrUkZRdyJ9.eyJpc3MiOiJodHRwczovL2Rldi04N2V2eDlydS5hdXRoMC5jb20vIiwic3ViIjoiYVc0Q2NhNzl4UmVMV1V6MGFFMkg2a0QwTzNjWEJWdENAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vZXhwZW5zZXMtYXBpIiwiaWF0IjoxNTcyMDA2OTU0LCJleHAiOjE1NzIwMDY5NjQsImF6cCI6ImFXNENjYTc5eFJlTFdVejBhRTJINmtEME8zY1hCVnRDIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.PUxE7xn52aTCohGiWoSdMBZGiYAHwE5FYie0Y1qUT68IHSTXwXVd6hn02HTah6epvHHVKA2FqcFZ4GGv5VTHEvYpeggiiZMgbxFrmTEY0csL6VNkX1eaJGcuehwQCRBKRLL3zKmA5IKGy5GeUnIbpPHLHDxr-GXvgFzsdsyWlVQvPX2xjeaQ217r2PtxDeqjlf66UYl6oY6AqNS8DH3iryCvIfCcybRZkc_hdy-6ZMoKT6Piijvk_aXdm7-QQqKJFHLuEqrVSOuBqqiNfVrG27QzAPuPOxvfXTVLXL2jek5meH6n-VWgrBdoMFH93QEszEDowDAEhQPHVs0xj7SIzA"
kid = "NEE1QURBOTM4MzI5RkFDNTYxOTU1MDg2ODgwQ0UzMTk1QjYyRkRFQw"
url = "https://dev-87evx9ru.auth0.com/.well-known/jwks.json"

jwks_client = PyJWKClient(url)
signing_key = jwks_client.get_signing_key_from_jwt(token)

data = jwt.decode(
    token,
    signing_key.key,
    algorithms=["RS256"],
    audience="https://expenses-api",
    options={"verify_exp": False},
)
print(data)

Support for JWKs containing ECDSA keys

Add support for Ed25519 / EdDSA

Pull Requests

  • Add PyPy3 to the test matrix (#550) by @jdufresne

  • Require tweak (#280) by @psafont

  • Decode return type is dict[str, Any] (#393) by @jacopofar

  • Fix linter error in test_cli (#414) by @jaraco

  • Run mypy with tox (#421) by @jpadilla

  • Document (and prefer) pyjwt[crypto] req format (#426) by @gthb

  • Correct type for json_encoder argument (#438) by @jdufresne

  • Prefer https:// links where available (#439) by @jdufresne

  • Pass python_requires argument to setuptools (#440) by @jdufresne

  • Rename [wheel] section to [bdist_wheel] as the former is legacy (#441) by @jdufresne

  • Remove setup.py test command in favor of pytest and tox (#442) by @jdufresne

  • Fix mypy errors (#449) by @jpadilla

  • DX Tweaks (#450) by @jpadilla

  • Add support of python 3.8 (#452) by @Djailla

  • Fix 406 (#454) by @justinbaur

  • Add support for Ed25519 / EdDSA, with unit tests (#455) by @Someguy123

  • Remove Python 2.7 compatibility (#457) by @Djailla

  • Fix simple typo: encododed -> encoded (#462) by @timgates42

  • Enhance tracebacks. (#477) by @JulienPalard

  • Simplify python_requires (#478) by @michael-k

  • Document top-level .encode and .decode to close #459 (#482) by @dimaqq

  • Improve documentation for audience usage (#484) by @CorreyL

  • Correct README on how to run tests locally (#489) by @jdufresne

  • Fix tox -e lint warnings and errors (#490) by @jdufresne

  • Run pyupgrade across project to use modern Python 3 conventions (#491) by @jdufresne

  • Add Python-3-only trove classifier and remove “universal” from wheel (#492) by @jdufresne

  • Emit warnings about user code, not pyjwt code (#494) by @mgedmin

  • Move setup information to declarative setup.cfg (#495) by @jdufresne

  • CLI options for verifying audience and issuer (#496) by @GeoffRichards

  • Specify the target Python version for mypy (#497) by @jdufresne

  • Remove unnecessary compatibility shims for Python 2 (#498) by @jdufresne

  • Setup GH Actions (#499) by @jpadilla

  • Implementation of ECAlgorithm.from_jwk (#500) by @jpadilla

  • Remove cli entry point (#501) by @jpadilla

  • Expose InvalidKeyError on jwt module (#503) by @russellcardullo

  • Avoid loading token twice in pyjwt.decode (#506) by @CaselIT

  • Default links to stable version of documentation (#508) by @salcedo

  • Update README.md badges (#510) by @jpadilla

  • Introduce better experience for JWKs (#511) by @jpadilla

  • Fix tox conditional extras (#512) by @jpadilla

  • Return tokens as string not bytes (#513) by @jpadilla

  • Drop support for legacy contrib algorithms (#514) by @jpadilla

  • Drop deprecation warnings (#515) by @jpadilla

  • Update Auth0 sponsorship link (#519) by @Sambego

  • Update return type for jwt.encode (#521) by @moomoolive

  • Run tests against Python 3.9 and add trove classifier (#522) by @michael-k

  • Removed redundant default_backend() (#523) by @rohitkg98

  • Documents how to use private keys with passphrases (#525) by @rayluo

  • Update version to 2.0.0a1 (#528) by @jpadilla

  • Fix usage example (#530) by @nijel

  • add EdDSA to docs (#531) by @CircleOnCircles

  • Remove support for EOL Python 3.5 (#532) by @jdufresne

  • Upgrade to isort 5 and adjust configurations (#533) by @jdufresne

  • Remove unused argument “verify” from PyJWS.decode() (#534) by @jdufresne

  • Update typing syntax and usage for Python 3.6+ (#535) by @jdufresne

  • Run pyupgrade to simplify code and use Python 3.6 syntax (#536) by @jdufresne

  • Drop unknown pytest config option: strict (#537) by @jdufresne

  • Upgrade black version and usage (#538) by @jdufresne

  • Remove “Command line” sections from docs (#539) by @jdufresne

  • Use existing key_path() utility function throughout tests (#540) by @jdufresne

  • Replace force_bytes()/force_unicode() in tests with literals (#541) by @jdufresne

  • Remove unnecessary Unicode decoding before json.loads() (#542) by @jdufresne

  • Remove unnecessary force_bytes() calls prior to base64url_decode() (#543) by @jdufresne

  • Remove deprecated arguments from docs (#544) by @jdufresne

  • Update code blocks in docs (#545) by @jdufresne

  • Refactor jwt/jwks_client.py without requests dependency (#546) by @jdufresne

  • Tighten bytes/str boundaries and remove unnecessary coercing (#547) by @jdufresne

  • Replace codecs.open() with builtin open() (#548) by @jdufresne

  • Replace int_from_bytes() with builtin int.from_bytes() (#549) by @jdufresne

  • Enforce .encode() return type using mypy (#551) by @jdufresne

  • Prefer direct indexing over options.get() (#552) by @jdufresne

  • Cleanup “noqa” comments (#553) by @jdufresne

  • Replace merge_dict() with builtin dict unpacking generalizations (#555) by @jdufresne

  • Do not mutate the input payload in PyJWT.encode() (#557) by @jdufresne

  • Use direct indexing in PyJWKClient.get_signing_key_from_jwt() (#558) by @jdufresne

  • Split PyJWT/PyJWS classes to tighten type interfaces (#559) by @jdufresne

  • Simplify mocked_response test utility function (#560) by @jdufresne

  • Autoupdate pre-commit hooks and apply them (#561) by @jdufresne

  • Remove unused argument “payload” from PyJWS.verifysignature() (#562) by @jdufresne

  • Add utility functions to assist test skipping (#563) by @jdufresne

  • Type hint jwt.utils module (#564) by @jdufresne

  • Prefer ModuleNotFoundError over ImportError (#565) by @jdufresne

  • Fix tox “manifest” environment to pass (#566) by @jdufresne

  • Fix tox “docs” environment to pass (#567) by @jdufresne

  • Simplify black configuration to be closer to upstream defaults (#568) by @jdufresne

  • Use generator expressions (#569) by @jdufresne

  • Simplify from_base64url_uint() (#570) by @jdufresne

  • Drop lint environment from GitHub actions in favor of pre-commit.ci (#571) by @jdufresne

  • [pre-commit.ci] pre-commit autoupdate (#572)

  • Simplify tox configuration (#573) by @jdufresne

  • Combine identical test functions using pytest.mark.parametrize() (#574) by @jdufresne

  • Complete type hinting of jwks_client.py (#578) by @jdufresne

v1.7.1

Fixed

  • Update test dependencies with pinned ranges

  • Fix pytest deprecation warnings

v1.7.0

Changed

  • Remove CRLF line endings #353

Fixed

  • Update usage.rst #360

Added

v1.6.4

Fixed

  • Reverse an unintentional breaking API change to .decode() #352

v1.6.3

Changed

  • All exceptions inherit from PyJWTError #340

Added

Docs

  • Added section to usage docs for jwt.get_unverified_header() #350

  • Update legacy instructions for using pycrypto #337

v1.6.1

Fixed

  • Audience parameter throws InvalidAudienceError when application does not specify an audience, but the token does. #336

v1.6.0

Changed

  • Dropped support for python 2.6 and 3.3 #301

  • An invalid signature now raises an InvalidSignatureError instead of DecodeError #316

Fixed

  • Fix over-eager fallback to stdin #304

Added

  • Audience parameter now supports iterables #306

v1.5.3

Changed

  • Increase required version of the cryptography package to >=1.4.0.

Fixed

  • Remove uses of deprecated functions from the cryptography package.

  • Warn about missing algorithms param to decode() only when verify param is True #281

v1.5.2

Fixed

  • Ensure correct arguments order in decode super call 7c1e61d

v1.5.1

Changed

  • Change optparse for argparse. #238

Fixed

  • Guard against PKCS1 PEM encoded public keys #277

  • Add deprecation warning when decoding without specifying algorithms #277

  • Improve deprecation messages #270

  • PyJWT.decode: move verify param into options #271

Added

  • Support for Python 3.6 #262

  • Expose jwt.InvalidAlgorithmError #264

v1.5.0

Changed

  • Add support for ECDSA public keys in RFC 4253 (OpenSSH) format #244

  • Renamed commandline script jwt to jwt-cli to avoid issues with the script clobbering the jwt module in some circumstances. #187

  • Better error messages when using an algorithm that requires the cryptography package, but it isn’t available #230

  • Tokens with future ‘iat’ values are no longer rejected #190

  • Non-numeric ‘iat’ values now raise InvalidIssuedAtError instead of DecodeError

  • Remove rejection of future ‘iat’ claims #252

Fixed

  • Add back ‘ES512’ for backward compatibility (for now) #225

  • Fix incorrectly named ECDSA algorithm #219

  • Fix rpm build #196

Added

  • Add JWK support for HMAC and RSA keys #202

v1.4.2

Fixed

  • A PEM-formatted key encoded as bytes could cause a TypeError to be raised #213

v1.4.1

Fixed

  • Newer versions of Pytest could not detect warnings properly #182

  • Non-string ‘kid’ value now raises InvalidTokenError #174

  • jwt.decode(None) now gracefully fails with InvalidTokenError #183

v1.4

Fixed

  • Exclude Python cache files from PyPI releases.

Added

  • Added new options to require certain claims (require_nbf, require_iat, require_exp) and raise MissingRequiredClaimError if they are not present.

  • If audience= or issuer= is specified but the claim is not present, MissingRequiredClaimError is now raised instead of InvalidAudienceError and InvalidIssuerError

v1.3

Fixed

  • ECDSA (ES256, ES384, ES512) signatures are now being properly serialized #158

  • RSA-PSS (PS256, PS384, PS512) signatures now use the proper salt length for PSS padding. #163

Added

  • Added a new jwt.get_unverified_header() to parse and return the header portion of a token prior to signature verification.

Removed

  • Python 3.2 is no longer a supported platform. This version of Python is rarely used. Users affected by this should upgrade to 3.3+.

v1.2.0

Fixed

  • Added back verify_expiration= argument to jwt.decode() that was erroneously removed in v1.1.0.

Changed

  • Refactored JWS-specific logic out of PyJWT and into PyJWS superclass. #141

Deprecated

  • verify_expiration= argument to jwt.decode() is now deprecated and will be removed in a future version. Use the option= argument instead.

v1.1.0

Added

  • Added support for PS256, PS384, and PS512 algorithms. #132

  • Added flexible and complete verification options during decode. #131

  • Added this CHANGELOG.md file.

Deprecated

  • Deprecated usage of the .decode(…, verify=False) parameter.

Fixed

  • Fixed command line encoding. #128

v1.0.1

Fixed

  • Include jwt/contrib’ and jwt/contrib/algorithms` in setup.py so that they will actually be included when installing. 882524d

  • Fix bin/jwt after removing jwt.header(). bd57b02

v1.0.0

Changed

  • Moved jwt.api.header out of the public API. #85

  • Added README details how to extract public / private keys from an x509 certificate. #100

  • Refactor api.py functions into an object (PyJWT). #101

  • Added support for PyCrypto and ecdsa when cryptography isn’t available. #101

Fixed

  • Fixed a security vulnerability where alg=None header could bypass signature verification. #109

  • Fixed a security vulnerability by adding support for a whitelist of allowed alg values jwt.decode(algorithms=[]). #110