JWS
What is JWS?
JWSJSON Web Signature (RFC 7515) is a JOSE format that protects the integrity and origin of arbitrary content using a digital signature or MAC over a Base64URL-encoded header and payload.
A JWS (RFC 7515) ties a payload to its signer through a signature over the concatenation BASE64URL(header) || '.' || BASE64URL(payload). The Compact Serialization, three dot-separated Base64URL segments, is what most developers know as a JWT-style token; the JSON Serialization (general and flattened) supports multiple signatures and is used in W3C Verifiable Credentials and package signing. Algorithms are listed in RFC 7518 (HS256, RS256, PS256, ES256, EdDSA) plus RFC 8037. Implementers must reject alg:none, refuse server-controlled alg switching that turns RSA verification into HMAC, validate the kid against a trusted JWK Set, and clamp lifetimes. Stable libraries include jose, node-jose, jjwt and python-jwt.
● Examples
- 01
An OAuth 2.0 JWT access token is a JWS Compact Serialization signed with RS256 over a claim set.
- 02
A signed software-update manifest distributed as a flattened JWS with kid pointing at a vendor JWK.
● Frequently asked questions
What is JWS?
JSON Web Signature (RFC 7515) is a JOSE format that protects the integrity and origin of arbitrary content using a digital signature or MAC over a Base64URL-encoded header and payload. It belongs to the Cryptography category of cybersecurity.
What does JWS mean?
JSON Web Signature (RFC 7515) is a JOSE format that protects the integrity and origin of arbitrary content using a digital signature or MAC over a Base64URL-encoded header and payload.
How does JWS work?
A JWS (RFC 7515) ties a payload to its signer through a signature over the concatenation BASE64URL(header) || '.' || BASE64URL(payload). The Compact Serialization, three dot-separated Base64URL segments, is what most developers know as a JWT-style token; the JSON Serialization (general and flattened) supports multiple signatures and is used in W3C Verifiable Credentials and package signing. Algorithms are listed in RFC 7518 (HS256, RS256, PS256, ES256, EdDSA) plus RFC 8037. Implementers must reject alg:none, refuse server-controlled alg switching that turns RSA verification into HMAC, validate the kid against a trusted JWK Set, and clamp lifetimes. Stable libraries include jose, node-jose, jjwt and python-jwt.
How do you defend against JWS?
Defences for JWS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for JWS?
Common alternative names include: JSON Web Signature.
● Related terms
- cryptography№ 565
JOSE
JavaScript Object Signing and Encryption: an IETF family of standards (RFC 7515-7520 and 8037) for representing signed and encrypted data using JSON.
- cryptography№ 571
JWE
JSON Web Encryption (RFC 7516) is a JOSE format that confidentially encapsulates a payload using authenticated encryption and either a key-wrapping or key-agreement scheme.
- cryptography№ 572
JWK
JSON Web Key, defined in RFC 7517, is a JSON object that represents a public or private cryptographic key for use in JOSE and OAuth-family protocols.
- identity-access№ 574
JWT (JSON Web Token)
Compact, URL-safe token format (RFC 7519) that carries signed JSON claims, widely used as access tokens, ID tokens, and session containers.
- identity-access№ 760
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that lets clients verify a user's identity and obtain basic profile information via signed ID tokens.
- cryptography№ 321
Digital Signature
A public-key cryptographic mechanism that proves the authenticity, integrity and non-repudiation of a message or document.
● See also
- № 225COSE