amosavian
JWSETKit
Swift

A full-featured Swift library for JOSE standards with first-class support for CryptoKit keys, providing JWS, JWT, SD-JWT, and JWE with signing, encryption, and JWK key management.

Last updated Jul 6, 2026
68
Stars
14
Forks
0
Issues
+1
Stars/day
Attention Score
53
Language breakdown
No language data available.
โ–ธ Files click to expand
README

JWSETKit โ€” Swift JWT, JWS, JWE, SD-JWT & JOSE Library

A modern, type-safe Swift library for JSON Web Token (JWT), JSON Web Signature (JWS), and JSON Web Encryption (JWE) with first-class Apple CryptoKit support.

[![Swift][swift-workflow-badge]][swift-workflow-url] [![CodeQL][codeql-workflow-badge]][codeql-workflow-url] [![License][license-badge]][license-url] [![Release version][release-badge]][release-url]

[![Lines of Code][sonar-cloc-badge]][sonar-link] [![Duplicated Lines][sonar-duplicated-lines-badge]][sonar-link]

[![Quality Gate Status][sonar-quality-badge]][sonar-link] [![Technical Debt][sonar-tech-debt-badge]][sonar-link] [![Maintainability Rating][sonar-maintainability-badge]][sonar-link] [![Coverage][codecov-coverage-badge]][codecov-link]

[![][swift-versions-badge]][spi-url] [![][platforms-badge]][spi-url]

Overview

Building secure authentication in Swift? JWSETKit is your complete solution for working with JSON Web Tokens (JWT), JSON Web Signatures (JWS), and JSON Web Encryption (JWE) with native Apple CryptoKit integration.

This module makes it possible to serialize, deserialize, create, and verify JWS/JWT messages.

๐Ÿ“– Table of Contents

๐Ÿš€ Features

Core Capabilities

โœ… JWT (JSON Web Tokens)

  • Create, sign, verify, and decode JWT tokens
  • Support for standard and custom claims
  • Expiration and validation handling
โœ… JWS (JSON Web Signature)
  • Digital signatures with multiple algorithms
  • Message authentication codes (MACs)
  • Detached signature support
โœ… JWE (JSON Web Encryption)
  • Content encryption with various algorithms
  • Key wrapping and management
  • Compact and JSON serialization
โœ… SD-JWT (Selective Disclosure)

  • RFC 9901 compliant selective disclosure
  • Privacy-preserving credential presentations
  • Key binding for holder authentication
  • SD-JWT VC support for Verifiable Credentials
โœ… JWK (JSON Web Keys)
  • Key generation and management
  • Key conversion and serialization
  • Support for key sets (JWKS)
โœ… Server-Side Swift (requires the HTTP trait)
  • Drop-in [Vapor][docs-vapor] and [Hummingbird][docs-hummingbird] integration via HTTPHeaders / HTTPFields extensions
  • Verify Authorization tokens directly from request headers
  • Remote JWKS fetching for Apple, Google, Firebase, Microsoft, and any OpenID Connect issuer
  • DPoP (RFC 9449) proof creation and verification

Extended Cryptographic Support

โœ… CryptoKit Integration

  • JWK encoding/decoding for all CryptoKit key types (P256, P384, P521, Curve25519, RSA)
  • SPKI (SubjectPublicKeyInfo) and PKCS#8 import/export for CryptoKit keys
  • ML-DSA (Dilithium) post-quantum keys with SPKI/PKCS#8 support
โœ… secp256k1 (P-256K) Support
  • ES256K signature algorithm for Bitcoin/Ethereum compatibility
  • ECDSA signing and verification
  • Schnorr signature support
  • ECDH key agreement

Getting Started

Swift Package Manager

Add JWSETKit to your Package.swift:

dependencies: [
    .package(url: "https://github.com/amosavian/JWSETKit", from: "2.0.0")
]

Then add to your target:

dependencies: [
    .product(name: "JWSETKit", package: "JWSETKit"),
]

With X509 Support

For X509 certificate support (Swift 6.1+):

dependencies: [
    .package(url: "https://github.com/amosavian/JWSETKit", from: "2.0.0", traits: ["X509"])
]

With P256K Support

For secp256k1 (ES256K) support (Swift 6.1+):

dependencies: [
    .package(url: "https://github.com/amosavian/JWSETKit", from: "2.0.0", traits: ["P256K"])
]

With HTTP Support (Server-Side)

The HTTP trait enables networking helpers used for server-side integration: remote JWKS fetching, AsyncHTTPClient / swift-http-types support, and the DPoP request extensions. Enable it when integrating with Vapor or Hummingbird:

dependencies: [
    .package(url: "https://github.com/amosavian/JWSETKit", from: "2.0.0", traits: ["HTTP"])
]

Xcode

  • File โ†’ Add Package Dependencies
  • Enter: https://github.com/amosavian/JWSETKit
  • Select version and add to your target

Usage

For detailed usage and API documentation, check [the documentation][docs].

Creating and Verifying JWT Signature

import JWSETKit
import CryptoKit

// Create a JWT with claims let key = SymmetricKey(size: .bits256) let payload = try JSONWebTokenClaims { $0.issuedAt = .init() $0.expiry = .init(timeIntervalSinceNow: 3600) $0.jwtUUID = .init() $0.subject = "user123" } let jwt = try JSONWebToken(payload: payload, algorithm: .hmacSHA256, using: key)

// Verify and decode let decodedJWT = try JSONWebToken(from: jwtString) try decodedJWT.verifySignature(using: key) print(decodedJWT.payload.subject) // "user123"

Basic JWT Authentication

// Initialize key
let key = try P256.Signing.PublicKey(pemRepresentation: publicKeyPEM)

// Verify incoming JWT let token = try JSONWebToken(from: request.headers["Authorization"]) try token.verify(using: key, for: "audience-name")

Working with JWS

// Sign arbitrary data with JWS
let payload = "Important message"
let jws = try JSONWebSignaturePlain(
    payload: payload.utf8,
    algorithm: .ecdsaSignatureP256SHA256,
    using: key
)
try print(String(jws))

// Verify JWS signature let verified = try JSONWebSignaturePlain(from: String(jws)) try verified.verifySignature(using: key) let message = String(decoding: verified.payload, as: UTF8.self)

Encrypting with JWE

// Encrypt sensitive data
let sensitiveData = Data("Secret information".utf8)
let encryptionKey = JSONWebRSAPrivateKey(keySize: .bits2048) 
let jwe = try JSONWebEncryption(
    content: sensitiveData,
    keyEncryptingAlgorithm: .rsaEncryptionOAEP,
    keyEncryptionKey: encryptionKey.publicKey,
    contentEncryptionAlgorithm: .aesEncryptionGCM128
)
try print(String(jwe))

// Decrypt JWE let jwe = try JSONWebEncryption(from: jweString) let decrypted = jwe.decrypt(using: encryptionKey) let secret = String(decoding: decrypted, as: UTF8.self)

Managing Keys with JWK

// Create CryptoKit key
let privateKey = P256.Signing.PrivateKey()

// Import and Export as JWK data let jwkJSON = try JSONEncoder().encode(privateKey) let importedJWK = try JSONDecoder().decode(P256.Signing.PrivateKey.self, from: jwkJSON)

// Import PKCS#8 let importedKey = try P256.Signing.PrivateKey(importing: pkcs8Data, format: .pkcs8)

SD-JWT (Selective Disclosure)

// Issuer: Create SD-JWT with selective claims
let claims = try JSONWebTokenClaims {
    $0.issuer = "https://issuer.example.com"
    $0.subject = "user123"
    $0.giveName = "John"
    $0.familyName = "Doe"
    $0.email = "john@example.com"
}

let sdJWT = try JSONWebSelectiveDisclosureToken( claims: claims, policy: .standard, // Standard claims visible, others disclosable using: issuerKey )

// Holder: Create presentation with selected disclosures let presentation = try sdJWT.presenting(paths: ["/email"])

// Verifier: Validate and access disclosed claims try presentation.validate() try presentation.verifySignature(using: issuerPublicKey) let disclosed = try presentation.disclosedPayload() print(disclosed.email) // "john@example.com"

๐Ÿ“Š Comparison with Alternatives

Features

| | JWSETKit | [jwt-kit] | [JOSESwift] | Auth0's [JWTDecode] | |:-------------------------------|:------------------:|:------------------:|:------------------:|:-------------------:| | JSON Web Signature (JWS) | :whitecheckmark: | :x: | :whitecheckmark: | :x: | | JWS Multiple Signatures | :whitecheckmark: | :x: | :x: | :x: | | JWS Unencoded/Detached Payload | :whitecheckmark: | :x: | :x: | :x: | | JSON Web Token (JWT) | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | | JWT Signature Verification | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | JWT Expire/NotBefore Validity | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | JSON Web Encryption (JWE) | :whitecheckmark: | :x: | :whitecheckmark: | :x: | | SD-JWT (RFC 9901) | :whitecheckmark: | :x: | :x: | :x: | | DPoP (RFC 9449) | :whitecheckmark: | :x: | :x: | :x: | | Support [CommonCrypto] Keys | :whitecheckmark: | :x: | :x: | :x: | | Support [CryptoKit] Keys | :whitecheckmark: | :x: | :x: | :x: |

Supported Algorithms

Signature/HMAC

| | JWSETKit | [jwt-kit] | [JOSESwift] | Auth0's [JWTDecode] | |:----------|:------------------:|:------------------:|:------------------:|:-------------------:| | HS256 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | HS384 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | HS512 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | RS256 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | RS384 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | RS512 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | ES256 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | ES384 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | ES512 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | PS256 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | PS384 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | PS512 | :whitecheckmark: | :whitecheckmark: | :whitecheckmark: | :x: | | EdDSA | :whitecheckmark: | :whitecheckmark: | :x: | :x: | | Ed25519 | :whitecheckmark: | :whitecheckmark: | :x: | :x: | | Ed448 | :x: | :x: | :x: | :x: | | ES256K | :whitecheckmark: | :x: | :x: | :x: | | ML-DSA-44 | :x: | :x: | :x: | :x: | | ML-DSA-65 | :whitecheckmark: | :whitecheckmark: | :x: | :x: | | ML-DSA-87 | :whitecheckmark: | :whitecheckmark: | :x: | :x: |

Key Encryption

| | JWSETKit | [JOSESwift] | |:-----------------------|:------------------:|:------------------:| | RSA15 | :whitecheckmark: | :whitecheck_mark: | | RSA-OAEP | :whitecheckmark: | :whitecheckmark: | | RSA-OAEP-256 | :whitecheckmark: | :whitecheckmark: | | A128KW | :whitecheckmark: | :whitecheckmark: | | A192KW | :whitecheckmark: | :whitecheckmark: | | A256KW | :whitecheckmark: | :whitecheckmark: | | dir | :whitecheckmark: | :whitecheckmark: | | ECDH-ES | :whitecheckmark: | :whitecheckmark: | | ECDH-ES+A128KW | :whitecheckmark: | :whitecheckmark: | | ECDH-ES+A192KW | :whitecheckmark: | :whitecheckmark: | | ECDH-ES+A256KW | :whitecheckmark: | :whitecheckmark: | | A128GCMKW | :whitecheckmark: | :x: | | A192GCMKW | :whitecheckmark: | :x: | | A256GCMKW | :whitecheckmark: | :x: | | PBES2-HS256+A128KW | :whitecheckmark: | :x: | | PBES2-HS384+A192KW | :whitecheckmark: | :x: | | PBES2-HS512+A256KW | :whitecheckmark: | :x: | | HPKE-0 (P256/AES128) | :whitecheckmark: | :x: | | HPKE-1 (P384/AES256) | :whitecheckmark: | :x: | | HPKE-2 (P521/AES256) | :whitecheckmark: | :x: | | HPKE-3 (X25519/AES256) | :whitecheckmark: | :x: | | HPKE-4 (X25519/ChaCha) | :whitecheckmark: | :x: | | HPKE-5 (X448/AES256) | :x: | :x: | | HPKE-6 (X448/ChaCha) | :x: | :x: | | HPKE-7 (P256/AES256) | :whitecheckmark: | :x: |

Content Encryption

| | JWSETKit | [JOSESwift] | |:--------------|:------------------:|:------------------:| | A128CBC-HS256 | :whitecheckmark: | :whitecheckmark: | | A192CBC-HS384 | :whitecheckmark: | :whitecheckmark: | | A256CBC-HS512 | :whitecheckmark: | :whitecheckmark: | | A128GCM | :whitecheckmark: | :whitecheckmark: | | A192GCM | :whitecheckmark: | :whitecheckmark: | | A256GCM | :whitecheckmark: | :whitecheckmark: |

๐Ÿ—๏ธ Use Cases

JWSETKit is perfect for:

  • ๐Ÿ”‘ API Authentication - Secure REST API authentication with JWT tokens
  • ๐ŸŒ OAuth 2.0 / OpenID Connect - Implement modern authentication flows
  • ๐Ÿ“ฑ Mobile App Security - Token-based auth for iOS/macOS apps
  • ๐Ÿ–ฅ๏ธ Server-Side Swift - Drop-in [Vapor][docs-vapor] and [Hummingbird][docs-hummingbird] request authentication
  • ๐Ÿ”„ Microservices - Service-to-service authentication
  • ๐ŸŽซ Session Management - Stateless session tokens
  • ๐Ÿ” Data Encryption - Protect sensitive data with JWE
  • ๐Ÿชช Verifiable Credentials - Privacy-preserving identity with SD-JWT

๐Ÿ“š Documentation

๐Ÿ“– [Full Documentation][docs]

Browse our comprehensive guides:

  • [Getting Started][docs]
  • [Cryptography Guide][docs-cryptography]
  • [Security Guidelines & Algorithm Selection][docs-security]
  • [Extending Containers][docs-extending]
  • [Using JWSETKit with Vapor][docs-vapor]
  • [Migrating from Vapor JWTKit][docs-migration]
  • [Using JWSETKit with Hummingbird][docs-hummingbird]
  • [Using DPoP (RFC 9449)][docs-dpop]
  • [API Reference][docs-api]

๐Ÿค Contributing

We welcome contributions!

How to Contribute

  • Fork the repository
  • Create your feature branch (git checkout -b feature/amazing-feature)
  • Commit your changes (git commit -m 'Add amazing feature')
  • Push to the branch (git push origin feature/amazing-feature)
  • Open a Pull Request

Development

# Clone the repository
git clone https://github.com/amosavian/JWSETKit.git

Run tests

swift test

Build the project

swift build

Benchmarks

JWSETKit ships a performance benchmark suite built on package-benchmark, plus an opt-in head-to-head comparison against other Swift JOSE libraries:

swift package --package-path Benchmarks/Regression benchmark

๐ŸŒŸ Support

๐Ÿ“„ License

JWSETKit is released under the MIT License. See LICENSE for details.

๐Ÿ™ Acknowledgments

This library implements the following JOSE standards:

  • RFC 7515 - JSON Web Signature (JWS)
  • RFC 7516 - JSON Web Encryption (JWE)
  • RFC 7517 - JSON Web Key (JWK)
  • RFC 7518 - JSON Web Algorithms (JWA)
  • RFC 7519 - JSON Web Token (JWT)
  • RFC 7520 - Examples of Protecting Content Using JSON Object Signing and Encryption (JOSE)
  • RFC 7797 - JSON Web Signature (JWS) Unencoded Payload Option
  • RFC 7800 - Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
  • RFC 9864 - Fully-Specified Algorithms for JOSE and COSE
  • RFC 9901 - SD-JWT: Selective Disclosure for JWTs
  • draft-ietf-jose-hpke-encrypt - Use of Hybrid Public Key Encryption (HPKE) with JSON Object Signing and Encryption (JOSE)
  • draft-ietf-cose-dilithium - ML-DSA for JOSE and COSE
  • OIDC Core - OpenID Connect Core 1.0 incorporating errata set 2

Built with โค๏ธ using Swift

Star on GitHub

[swift-workflow-badge]: https://github.com/amosavian/JWSETKit/actions/workflows/swift.yml/badge.svg [swift-workflow-url]: https://github.com/amosavian/JWSETKit/actions/workflows/swift.yml [codeql-workflow-badge]: https://github.com/amosavian/JWSETKit/actions/workflows/codeql.yml/badge.svg [codeql-workflow-url]: https://github.com/amosavian/JWSETKit/actions/workflows/codeql.yml [license-badge]: https://img.shields.io/github/license/amosavian/JWSETKit.svg [license-url]: LICENSE [release-badge]: https://img.shields.io/github/release/amosavian/JWSETKit.svg [release-url]: https://github.com/amosavian/JWSETKit/releases

[sonar-link]: https://sonarcloud.io/summary/newcode?id=amosavianJWSETKit [codecov-link]: https://codecov.io/gh/amosavian/JWSETKit [sonar-quality-badge]: https://sonarcloud.io/api/projectbadges/measure?project=amosavianJWSETKit&metric=alert_status [sonar-cloc-badge]: https://sonarcloud.io/api/projectbadges/measure?project=amosavianJWSETKit&metric=ncloc [sonar-duplicated-lines-badge]: https://sonarcloud.io/api/projectbadges/measure?project=amosavianJWSETKit&metric=duplicatedlinesdensity [sonar-maintainability-badge]: https://sonarcloud.io/api/projectbadges/measure?project=amosavianJWSETKit&metric=sqale_rating [sonar-tech-debt-badge]: https://sonarcloud.io/api/projectbadges/measure?project=amosavianJWSETKit&metric=sqale_index [codecov-coverage-badge]: https://codecov.io/gh/amosavian/JWSETKit/graph/badge.svg?token=PIYYY5XWAG

[swift-versions-badge]: https://img.shields.io/endpoint?url=https%3A%2F%2Fswiftpackageindex.com%2Fapi%2Fpackages%2Famosavian%2FJWSETKit%2Fbadge%3Ftype%3Dswift-versions [spi-url]: https://swiftpackageindex.com/amosavian/JWSETKit [platforms-badge]: https://img.shields.io/endpoint?url=https%3A%2F%2Fswiftpackageindex.com%2Fapi%2Fpackages%2Famosavian%2FJWSETKit%2Fbadge%3Ftype%3Dplatforms

[docs]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation [docs-api]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation/jwsetkit [docs-cryptography]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation/jwsetkit/3-cryptography [docs-security]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation/jwsetkit/5-securityguidelines [docs-extending]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation/jwsetkit/7-extending-container [docs-vapor]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation/jwsetkit/9-vaporintegration [docs-hummingbird]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation/jwsetkit/10-hummingbirdintegration [docs-dpop]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation/jwsetkit/11-dpop [docs-migration]: https://swiftpackageindex.com/amosavian/JWSETKit/documentation/jwsetkit/8-migrationfromvaporjwt [jwt-kit]: https://github.com/vapor/jwt-kit [JOSESwift]: https://github.com/airsidemobile/JOSESwift [JWTDecode]: https://github.com/auth0/JWTDecode.swift [CommonCrypto]: https://developer.apple.com/documentation/security/certificatekeyandtrustservices [CryptoKit]: https://developer.apple.com/documentation/cryptokit/

ยฉ 2026 GitRepoTrend ยท amosavian/JWSETKit ยท Updated daily from GitHub