JSON Web Key (JWK)

The jwk Module implements the JSON Web Key standard. A JSON Web Key is represented by a JWK object, related utility classes and functions are availbale in this module too.


class jwcrypto.jwk.JWK(**kwargs)

Bases: object

JSON Web Key object

This object represent a Key. It must be instantiated by using the standard defined key/value pairs as arguents of the initialization function.

Creates a new JWK object.

The function arguments must be valid parameters as defined in the ‘IANA JSON Web Key Set Parameters registry’ and specified in the JWKParamsRegistry variable. The ‘kty’ parameter must always be provided and its value must be a valid one as defined by the ‘IANA JSON Web Key Types registry’ and specified in the JWKTypesRegistry variable. The valid key parameters per key type are defined in the JWKValuesregistry variable.

Alternatively if the ‘generate’ parameter is provided, with a valid key type as value then a new key will be generated according to the defaults or provided key strenght options (type specific).

Valid options per type, when generating new keys:
  • oct: size(int)
  • RSA: public_exponent(int), size(int)
  • EC: curve(str) (one of P-256, P-384, P-521)
  • InvalidJWKType – if the key type is invalid
  • InvalidJWKValue – if incorrect or inconsistent parameters are provided.

Exports the key in the standard JSON format


Exports the public key in the standard JSON format


Gets the Elliptic Curve associated with the key.


arg – an optional curve name

  • InvalidJWKType – the key is not an EC key.
  • InvalidJWKValue – if the curve names is invalid.
get_op_key(operation=None, arg=None)

Get the key object associated to the requested opration. For example the public RSA key for the ‘verify’ operation or the private EC key for the ‘decrypt’ operation.

  • operation – The requested operation. The valid set of operations is availble in the JWKOperationsRegistry registry.
  • arg – an optional, context specific, argument For example a curve name.
  • InvalidJWKOperation – if the operation is unknown or not permitted with this key.
  • InvalidJWKUsage – if the use constraints do not permit the operation.

The Key ID. Provided by the kid parameter if present, otherwise returns None.


The Key type

class jwcrypto.jwk.JWKSet

Bases: set

A set of JWK objects.

Inherits for the standard ‘set’ bultin type.


Adds a JWK object to the set

Parameters:elem – the JWK object to add.
Raises TypeError:
 if the object is not a JWK.

Exports the set using the standard JSON format


Gets a key from the set. :param kid: the ‘kid’ key identifier.


class jwcrypto.jwk.InvalidJWKType(value=None)

Bases: exceptions.Exception

Invalid JWK Type Exception.

This exception is raised when an invalid parameter type is used.

class jwcrypto.jwk.InvalidJWKValue

Bases: exceptions.Exception

Invalid JWK Value Exception.

This exception is raised when an invalid/unknown value is used in the context of an operation that requires specific values to be used based on the key type or other constraints.

class jwcrypto.jwk.InvalidJWKOperation(operation, values)

Bases: exceptions.Exception

Invalid JWK Operation Exception.

This exception is raised when an invalid key operation is requested, based on the key type and declared usage constraints.

class jwcrypto.jwk.InvalidJWKUsage(use, value)

Bases: exceptions.Exception

Invalid JWK usage Exception.

This exception is raised when an invalid key usage is requested, based on the key type and declared usage constraints.



Registry of valid Key Types


Registry of valid key values


Regstry of valid key parameters


Registry of allowed Elliptic Curves


Registry of allowed uses


Registry of allowed operations