[Replacement]: jsonwebtoken #485
Description
Package to replace
jsonwebtoken
Suggested replacement(s)
jose
Manifest type
preferred (lighter or more modern alternative package)
Rationale
jsonwebtoken doenst work on all environments, downs ship with types, is CJS only and uses lodash functions like isNumber, etc
jose is runtime agnostic and ships with types and is ESM.
https://npmx.dev/compare?packages=jsonwebtoken,jose
https://www.pkgpulse.com/blog/oslojs-vs-jose-vs-jsonwebtoken-modern-jwt-auth-2026
Availability
No response
Code example (optional)
// jsonwebtoken
import jwt from 'jsonwebtoken';
const secret = 'mysecretkey';
const payload = { userId: 123 };
const token = jwt.sign(payload, secret, { expiresIn: '1h' });
const decoded = jwt.verify(token, secret);
// jose
import { SignJWT, jwtVerify } from 'jose';
const secret = new TextEncoder().encode('mysecretkey');
const payload = { userId: 123 };
const token = await new SignJWT(payload)
.setProtectedHeader({ alg: 'HS256' })
.setExpirationTime('1h')
.sign(secret);
const { payload: decoded } = await jwtVerify(token, secret);