This is the documentation of the development version, check the Stable Version documentation.

RFC7516: JSON Web Encryption

This section contains the generic implementation of RFC7516. Find how to use it in JWE Guide.

API Reference

class authlib.jose.JsonWebEncryption(algorithms=None, private_headers=None)
REGISTERED_HEADER_PARAMETER_NAMES = frozenset({'x5c', 'x5t#S256', 'typ', 'x5u', 'alg', 'crit', 'jku', 'enc', 'zip', 'kid', 'x5t', 'cty', 'jwk'})

Registered Header Parameter Names defined by Section 4.1

classmethod register_algorithm(algorithm)

Register an algorithm for alg or enc or zip of JWE.

serialize_compact(protected, payload, key)

Generate a JWE Compact Serialization. The JWE Compact Serialization represents encrypted content as a compact, URL-safe string. This string is:

BASE64URL(UTF8(JWE Protected Header)) || ‘.’ || BASE64URL(JWE Encrypted Key) || ‘.’ || BASE64URL(JWE Initialization Vector) || ‘.’ || BASE64URL(JWE Ciphertext) || ‘.’ || BASE64URL(JWE Authentication Tag)

Only one recipient is supported by the JWE Compact Serialization and it provides no syntax to represent JWE Shared Unprotected Header, JWE Per-Recipient Unprotected Header, or JWE AAD values.

  • protected – A dict of protected header
  • payload – A string/dict of payload
  • key – Private key used to generate signature


deserialize_compact(s, key, decode=None)

Exact JWS Compact Serialization, and validate with the given key.

  • s – text of JWS Compact Serialization
  • key – key used to verify the signature
  • decode – a function to decode plaintext data


class authlib.jose.JWEAlgorithm

Interface for JWE algorithm. JWA specification (RFC7518) SHOULD implement the algorithms for JWE with this base implementation.

class authlib.jose.JWEEncAlgorithm
encrypt(msg, aad, iv, key)

Encrypt the given “msg” text.

  • msg – text to be encrypt in bytes
  • aad – additional authenticated data in bytes
  • iv – initialization vector in bytes
  • key – encrypted key in bytes

(ciphertext, iv, tag)

decrypt(ciphertext, aad, iv, tag, key)

Decrypt the given cipher text.

  • ciphertext – ciphertext in bytes
  • aad – additional authenticated data in bytes
  • iv – initialization vector in bytes
  • tag – authentication tag in bytes
  • key – encrypted key in bytes


class authlib.jose.JWEZipAlgorithm