PyJWT changelog

JSON Web Token implementation in Python

All Versions

Latest Version

2.4.0

Avg Release Cycle

129 days

Latest Release

Changelog History

Page 1

v2.4.0 Changes

🔒 Security


- 🔒 [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
🔄 Changed
~~~~~~~
- Explicit check the key for ECAlgorithm by @estin in https://github.com/jpadilla/pyjwt/pull/713
- 🗄 Raise DeprecationWarning for jwt.decode(verify=...) by @akx in https://github.com/jpadilla/pyjwt/pull/742
🛠 Fixed
~~~~~
- Don't use implicit optionals by @rekyungmin in https://github.com/jpadilla/pyjwt/pull/705
- 📚 documentation fix: show correct scope for decode_complete() by @sseering in https://github.com/jpadilla/pyjwt/pull/661
- 🛠 fix: Update copyright information by @kkirsche in https://github.com/jpadilla/pyjwt/pull/729
- Don't mutate options dictionary in .decode_complete() by @akx in https://github.com/jpadilla/pyjwt/pull/743
➕ Added
~~~~~
- ➕ Add support for Python 3.10 by @hugovk in https://github.com/jpadilla/pyjwt/pull/699
- api_jwk: Add PyJWKSet.__getitem__ by @woodruffw in https://github.com/jpadilla/pyjwt/pull/725
- ⚡️ Update usage.rst by @guneybilen in https://github.com/jpadilla/pyjwt/pull/727
- 📄 Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @dmahr1 in https://github.com/jpadilla/pyjwt/pull/734
- 🛠 Fixed typo in usage.rst by @israelabraham in https://github.com/jpadilla/pyjwt/pull/738
- ➕ Add detached payload support for JWS encoding and decoding by @fviard in https://github.com/jpadilla/pyjwt/pull/723
- Replace various string interpolations with f-strings by @akx in https://github.com/jpadilla/pyjwt/pull/744
- ⚡️ Update CHANGELOG.rst by @hipertracker in https://github.com/jpadilla/pyjwt/pull/751

v2.3.0 Changes

🛠 Fixed


- ⏪ Revert "Remove arbitrary kwargs." `#701 <https://github.com/jpadilla/pyjwt/pull/701>`__
➕ Added

➕ Add exception chaining #702 <https://github.com/jpadilla/pyjwt/pull/702>__

v2.2.0 Changes

🔄 Changed


- ✂ Remove arbitrary kwargs. `#657 <https://github.com/jpadilla/pyjwt/pull/657>`__
- 📦 Use timezone package as Python 3.5+ is required. `#694 <https://github.com/jpadilla/pyjwt/pull/694>`__
🛠 Fixed
~~~~~
- Assume JWK without the "use" claim is valid for signing as per RFC7517 `#668 <https://github.com/jpadilla/pyjwt/pull/668>`__
- Prefer `headers["alg"]` to `algorithm` in `jwt.encode()`. `#673 <https://github.com/jpadilla/pyjwt/pull/673>`__
- 🛠 Fix aud validation to support {'aud': null} case. `#670 <https://github.com/jpadilla/pyjwt/pull/670>`__
- 👉 Make `typ` optional in JWT to be compliant with RFC7519. `#644 <https://github.com/jpadilla/pyjwt/pull/644>`__
- 🚚 Remove upper bound on cryptography version. `#693 <https://github.com/jpadilla/pyjwt/pull/693>`__
➕ Added
~~~~~
- ➕ Add support for Ed448/EdDSA. `#675 <https://github.com/jpadilla/pyjwt/pull/675>`__

v2.1.0 Changes

🔄 Changed


- 👍 Allow claims validation without making JWT signature validation mandatory. `#608 <https://github.com/jpadilla/pyjwt/pull/608>`__
🛠 Fixed
~~~~~
- ✂ Remove padding from JWK test data. `#628 <https://github.com/jpadilla/pyjwt/pull/628>`__
- 👉 Make `kty` mandatory in JWK to be compliant with RFC7517. `#624 <https://github.com/jpadilla/pyjwt/pull/624>`__
- 👍 Allow JWK without `alg` to be compliant with RFC7517. `#624 <https://github.com/jpadilla/pyjwt/pull/624>`__
- 👍 Allow to verify with private key on ECAlgorithm, as well as on Ed25519Algorithm. `#645 <https://github.com/jpadilla/pyjwt/pull/645>`__
➕ Added
~~~~~
- ➕ Add caching by default to PyJWKClient `#611 <https://github.com/jpadilla/pyjwt/pull/611>`__
- Add missing exceptions.InvalidKeyError to jwt module __init__ imports `#620 <https://github.com/jpadilla/pyjwt/pull/620>`__
- ➕ Add support for ES256K algorithm `#629 <https://github.com/jpadilla/pyjwt/pull/629>`__
- Add `from_jwk()` to Ed25519Algorithm `#621 <https://github.com/jpadilla/pyjwt/pull/621>`__
- Add `to_jwk()` to Ed25519Algorithm `#643 <https://github.com/jpadilla/pyjwt/pull/643>`__
- Export `PyJWK` and `PyJWKSet` `#652 <https://github.com/jpadilla/pyjwt/pull/652>`__

v2.0.1 Changes

🔄 Changed


- 📄 Rename CHANGELOG.md to CHANGELOG.rst and include in docs `#597 <https://github.com/jpadilla/pyjwt/pull/597>`__
🛠 Fixed
~~~~~
- Fix `from_jwk()` for all algorithms `#598 <https://github.com/jpadilla/pyjwt/pull/598>`__
➕ Added
~~~~~

v2.0.0 Changes
🔄 Changed
```
⬇️ Drop support for Python 2 and Python 3.0-3.5
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
👍 Python 3.5 is EOL so we decide to drop its support. Version ``1.7.1`` is
👍 the last one supporting Python 3.0-3.5.
Require cryptography >= 3
^^^^^^^^^^^^^^^^^^^^^^^^^
⬇️ Drop support for PyCrypto and ECDSA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We've kept this around for a long time, mostly for environments that
didn't allow installing cryptography.
⬇️ Drop CLI
^^^^^^^^
⬇️ Dropped the included cli entry point.
👌 Improve typings
^^^^^^^^^^^^^^^
We no longer need to use mypy Python 2 compatibility mode (comments)
``jwt.encode(...)`` return type
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Tokens are returned as string instead of a byte string
⬇️ Dropped deprecated errors
^^^^^^^^^^^^^^^^^^^^^^^^^
✂ Removed ``ExpiredSignature``, ``InvalidAudience``, and
``InvalidIssuer``. Use ``ExpiredSignatureError``,
``InvalidAudienceError``, and ``InvalidIssuerError`` instead.
⬇️ Dropped deprecated ``verify_expiration`` param in ``jwt.decode(...)``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
👉 Use
``jwt.decode(encoded, key, algorithms=["HS256"], options={"verify_exp": False})``
instead.
⬇️ Dropped deprecated ``verify`` param in ``jwt.decode(...)``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
👉 Use ``jwt.decode(encoded, key, options={"verify_signature": False})``
instead.
0️⃣ Require explicit ``algorithms`` in ``jwt.decode(...)`` by default
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Example: ``jwt.decode(encoded, key, algorithms=["HS256"])``.
⬇️ Dropped deprecated ``require_*`` options in ``jwt.decode(...)``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For example, instead of
``jwt.decode(encoded, key, algorithms=["HS256"], options={"require_exp": True})``,
👉 use
``jwt.decode(encoded, key, algorithms=["HS256"], options={"require": ["exp"]})``.
And the old v1.x syntax
``jwt.decode(token, verify=False)``
is now:
``jwt.decode(jwt=token, key='secret', algorithms=['HS256'], options={"verify_signature": False, "verify_exp": True})``
➕ Added
~~~~~
👍 Introduce better experience for JWKs
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Introduce ``PyJWK``, ``PyJWKSet``, and ``PyJWKClient``.
.. code:: python
 import jwt
 from jwt import PyJWKClient
 token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5FRTFRVVJCT1RNNE16STVSa0ZETlRZeE9UVTFNRGcyT0Rnd1EwVXpNVGsxUWpZeVJrUkZRdyJ9.eyJpc3MiOiJodHRwczovL2Rldi04N2V2eDlydS5hdXRoMC5jb20vIiwic3ViIjoiYVc0Q2NhNzl4UmVMV1V6MGFFMkg2a0QwTzNjWEJWdENAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vZXhwZW5zZXMtYXBpIiwiaWF0IjoxNTcyMDA2OTU0LCJleHAiOjE1NzIwMDY5NjQsImF6cCI6ImFXNENjYTc5eFJlTFdVejBhRTJINmtEME8zY1hCVnRDIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.PUxE7xn52aTCohGiWoSdMBZGiYAHwE5FYie0Y1qUT68IHSTXwXVd6hn02HTah6epvHHVKA2FqcFZ4GGv5VTHEvYpeggiiZMgbxFrmTEY0csL6VNkX1eaJGcuehwQCRBKRLL3zKmA5IKGy5GeUnIbpPHLHDxr-GXvgFzsdsyWlVQvPX2xjeaQ217r2PtxDeqjlf66UYl6oY6AqNS8DH3iryCvIfCcybRZkc_hdy-6ZMoKT6Piijvk_aXdm7-QQqKJFHLuEqrVSOuBqqiNfVrG27QzAPuPOxvfXTVLXL2jek5meH6n-VWgrBdoMFH93QEszEDowDAEhQPHVs0xj7SIzA"
 kid = "NEE1QURBOTM4MzI5RkFDNTYxOTU1MDg2ODgwQ0UzMTk1QjYyRkRFQw"
 url = "https://dev-87evx9ru.auth0.com/.well-known/jwks.json"
 jwks_client = PyJWKClient(url)
 signing_key = jwks_client.get_signing_key_from_jwt(token)
 data = jwt.decode(
 token,
 signing_key.key,
 algorithms=["RS256"],
 audience="https://expenses-api",
 options={"verify_exp": False},
 )
 print(data)
👌 Support for JWKs containing ECDSA keys
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
➕ Add support for Ed25519 / EdDSA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Pull Requests
```
- ✅ Add PyPy3 to the test matrix (#550) by @jdufresne
- Require tweak (#280) by @psafont
- Decode return type is dictstr, Any by @jacopofar
- 👕 Fix linter error in test_cli (#414) by @jaraco
- Run mypy with tox (#421) by @jpadilla
- Document (and prefer) pyjwt[crypto] req format (#426) by @gthb
- Correct type for json_encoder argument (#438) by @jdufresne
- Prefer https:// links where available (#439) by @jdufresne
- Pass python_requires argument to setuptools (#440) by @jdufresne
- Rename [wheel] section to [bdist_wheel] as the former is legacy (#441) by @jdufresne
- 🚚 Remove setup.py test command in favor of pytest and tox (#442) by @jdufresne
- Fix mypy errors (#449) by @jpadilla
- DX Tweaks (#450) by @jpadilla
- 👍 Add support of python 3.8 (#452) by @Djailla
- Fix 406 (#454) by @justinbaur
- ✅ Add support for Ed25519 / EdDSA, with unit tests (#455) by @Someguy123
- 🚚 Remove Python 2.7 compatibility (#457) by @Djailla
- Fix simple typo: encododed -> encoded (#462) by @timgates42
- ✨ Enhance tracebacks. (#477) by @JulienPalard
- Simplify python_requires (#478) by @michael-k
- Document top-level .encode and .decode to close #459 (#482) by @dimaqq
- 📚 Improve documentation for audience usage (#484) by @CorreyL
- ✅ Correct README on how to run tests locally (#489) by @jdufresne
- 👕 Fix tox -e lint warnings and errors (#490) by @jdufresne
- ⬆️ Run pyupgrade across project to use modern Python 3 conventions (#491) by @jdufresne
- 🚚 Add Python-3-only trove classifier and remove "universal" from wheel (#492) by @jdufresne
- ⚠ Emit warnings about user code, not pyjwt code (#494) by @mgedmin
- 🚚 Move setup information to declarative setup.cfg (#495) by @jdufresne
- CLI options for verifying audience and issuer (#496) by @GeoffRichards
- Specify the target Python version for mypy (#497) by @jdufresne
- 🚚 Remove unnecessary compatibility shims for Python 2 (#498) by @jdufresne
- Setup GH Actions (#499) by @jpadilla
- Implementation of ECAlgorithm.from_jwk (#500) by @jpadilla
- 🚚 Remove cli entry point (#501) by @jpadilla
- Expose InvalidKeyError on jwt module (#503) by @russellcardullo
- Avoid loading token twice in pyjwt.decode (#506) by @CaselIT
- 📚 Default links to stable version of documentation (#508) by @salcedo
- ⚡️ Update README.md badges (#510) by @jpadilla
- 👍 Introduce better experience for JWKs (#511) by @jpadilla
- Fix tox conditional extras (#512) by @jpadilla
- Return tokens as string not bytes (#513) by @jpadilla
- 👍 Drop support for legacy contrib algorithms (#514) by @jpadilla
- 🗄 Drop deprecation warnings (#515) by @jpadilla
- ⚡️ Update Auth0 sponsorship link (#519) by @Sambego
- ⚡️ Update return type for jwt.encode (#521) by @moomoolive
- ✅ Run tests against Python 3.9 and add trove classifier (#522) by @michael-k
- 🚚 Removed redundant default_backend() (#523) by @rohitkg98
- Documents how to use private keys with passphrases (#525) by @rayluo
- ⚡️ Update version to 2.0.0a1 (#528) by @jpadilla
- Fix usage example (#530) by @nijel
- 📄 add EdDSA to docs (#531) by @CircleOnCircles
- 🚚 Remove support for EOL Python 3.5 (#532) by @jdufresne
- ⬆️ Upgrade to isort 5 and adjust configurations (#533) by @jdufresne
- 🚚 Remove unused argument "verify" from PyJWS.decode() (#534) by @jdufresne
- ⚡️ Update typing syntax and usage for Python 3.6+ (#535) by @jdufresne
- ⬆️ Run pyupgrade to simplify code and use Python 3.6 syntax (#536) by @jdufresne
- ✅ Drop unknown pytest config option: strict (#537) by @jdufresne
- ⬆️ Upgrade black version and usage (#538) by @jdufresne
- 🚚 Remove "Command line" sections from docs (#539) by @jdufresne
- ✅ Use existing key_path() utility function throughout tests (#540) by @jdufresne
- Replace force_bytes()/force_unicode() in tests with literals (#541) by @jdufresne
- 🚚 Remove unnecessary Unicode decoding before json.loads() (#542) by @jdufresne
- Remove unnecessary force_bytes() calls priot to base64url_decode() (#543) by @jdufresne
- 🚚 Remove deprecated arguments from docs (#544) by @jdufresne
- ⚡️ Update code blocks in docs (#545) by @jdufresne
- 🔨 Refactor jwt/jwks_client.py without requests dependency (#546) by @jdufresne
- 🚚 Tighten bytes/str boundaries and remove unnecessary coercing (#547) by @jdufresne
- Replace codecs.open() with builtin open() (#548) by @jdufresne
- Replace int_from_bytes() with builtin int.from_bytes() (#549) by @jdufresne
- Enforce .encode() return type using mypy (#551) by @jdufresne
- Prefer direct indexing over options.get() (#552) by @jdufresne
- Cleanup "noqa" comments (#553) by @jdufresne
- 🔀 Replace merge_dict() with builtin dict unpacking generalizations (#555) by @jdufresne
- 🛰 Do not mutate the input payload in PyJWT.encode() (#557) by @jdufresne
- Use direct indexing in PyJWKClient.get_signing_key_from_jwt() (#558) by @jdufresne
- Split PyJWT/PyJWS classes to tighten type interfaces (#559) by @jdufresne
- ✅ Simplify mocked_response test utility function (#560) by @jdufresne
- ⚡️ Autoupdate pre-commit hooks and apply them (#561) by @jdufresne
- 👌 Remove unused argument "payload" from PyJWS.\ verify\ signature() (#562) by @jdufresne
- ✅ Add utility functions to assist test skipping (#563) by @jdufresne
- Type hint jwt.utils module (#564) by @jdufresne
- Prefer ModuleNotFoundError over ImportError (#565) by @jdufresne
- Fix tox "manifest" environment to pass (#566) by @jdufresne
- 📄 Fix tox "docs" environment to pass (#567) by @jdufresne
- 🔧 Simplify black configuration to be closer to upstream defaults (#568) by @jdufresne
- Use generator expressions (#569) by @jdufresne
- Simplify from_base64url_uint() (#570) by @jdufresne
- 👕 Drop lint environment from GitHub actions in favor of pre-commit.ci (#571) by @jdufresne
- ⚡️ [pre-commit.ci] pre-commit autoupdate (#572)
- 🔧 Simplify tox configuration (#573) by @jdufresne
- ✅ Combine identical test functions using pytest.mark.parametrize() (#574) by @jdufresne
- Complete type hinting of jwks_client.py (#578) by @jdufresne
v2.0.0.a1
November 02, 2020
v1.7.1 Changes
December 07, 2018
🛠 Fixed
- ⚡️ Update test dependencies with pinned ranges (b65e1ac)
- 🛠 Fix pytest deprecation warnings (b65e1ac)

v1.7.0 Changes

December 02, 2018

🔄 Changed


- 🚚 Remove CRLF line endings
 `#353 <https://github.com/jpadilla/pyjwt/pull/353>`__
🛠 Fixed
~~~~~
- ⚡️ Update usage.rst
 `#360 <https://github.com/jpadilla/pyjwt/pull/360>`__
➕ Added
~~~~~
- 👍 Support for Python 3.7
 `#375 <https://github.com/jpadilla/pyjwt/pull/375>`__
 `#379 <https://github.com/jpadilla/pyjwt/pull/379>`__
 `#384 <https://github.com/jpadilla/pyjwt/pull/384>`__

v1.6.4 Changes

May 24, 2018

🛠 Fixed


- Reverse an unintentional breaking API change to .decode()
 `#352 <https://github.com/jpadilla/pyjwt/pull/352>`__

Awesome Python is part of the LibHunt network. Terms. Privacy Policy.

(CC)

BY-SA

We recommend Spin The Wheel Of Names for a cryptographically secure random name picker.

PyJWT changelog

JSON Web Token implementation in Python

Changelog History Page 1

v2.0.0.a1

🛠 Fixed

Changelog History

Page 1