All Versions
Latest Version
Avg Release Cycle
Latest Release

Changelog History
Page 1

  • v0.11.3 Changes

    🚀 This patch release:

    • ➕ Adds additional handling for rare JSON parsing exceptions and wraps them in a JwtException to allow the application to handle these conditions as JWT concerns.
    • ⬆️ Upgrades the jjwt-jackson module's Jackson dependency to
  • v0.11.2 Changes

    🚀 This patch release:

    • 👍 Allows empty JWS bodies to support RFC 8555 and similar initiatives. Pull Request 540
    • Ensures OSGi environments can access JJWT implementation bundles (jjwt-jackson, jjwt-gson, etc) as fragments to jjwt-api bundle. Pull Request 580
    • Rejects allowedClockSkewSeconds values that would cause numeric overflow. Issue 583
    • ⬆️ Upgrades Jackson dependency to version to address all known Jackson CVE vulnerabilities. Issue 585
    • ⚡️ Updates SecretKey algorithm name validation to allow PKCS12 KeyStore OIDs in addition to JCA Names. Issue 588
    • 🏗 Enabled CI builds on JDK 14. Pull Request 590
    • ➕ Adds missing parameters type to Maps.add(), which removes an unchecked type warning. Issue 591
    • Ensures GsonDeserializer always uses UTF-8 for encoding bytes to Strings. Pull Request 592

    All issues and PRs are listed in the Github JJWT 0.11.2 milestone.

  • v0.11.1 Changes

    🚀 This patch release:

    • ⬆️ Upgrades the jjwt-jackson module's Jackson dependency to
    • 🛠 Fixes an issue when using Java 9+ Map.of with JacksonDeserializer that resulted in an NullPointerException.
    • 🛠 Fixes an issue that prevented the jjwt-gson .jar's seralizer/deserializer implementation from being detected automatically.
    • Ensures service implementations are now loaded from the context class loader, Services.class.classLoader, and the system classloader, the first classloader with a service wins, and the others are ignored. This mimics how Classes.forName() works, and how JJWT attempted to auto-discover various implementations in previous versions.
    • 🛠 Fixes a minor error in the Claims#getIssuedAt JavaDoc.
  • v0.11.0 Changes

    🚀 This minor release:

    • ➕ Adds Google's Gson as a natively supported JSON parser. Installation instructions have been updated and new JJWT Gson usage guidelines have been added.
    • 🚀 Updates the Jackson dependency version to 2.9.10 🔒 to address three security vulnerabilities in Jackson.
    • 🚚 A new JwtParserBuilder interface has been added and is the recommended way of creating an immutable and thread-safe JwtParser instance. Mutable methods in JwtParser will be removed before v1.0. Migration to the new signatures is straightforward, for example:

      Previous Version:


      Current Version:

    • ➕ Adds io.jsonwebtoken.lang.Maps utility class to make creation of maps fluent, as demonstrated next.

    • ➕ Adds support for custom types when deserializing with Jackson. To use configure your parser:

          new JacksonDeserializer(
              Maps.of("claimName", YourType.class).build() // <--
    • 📦 Moves JSON Serializer/Deserializer implementations to a different package name.

      • ->
      • ->
      • ->
      • ->

    A backward compatibility modules has been created using the deprecated classifier (io.jsonwebtoken:jjwt-jackson:0.11.0:deprecated and io.jsonwebtoken:jjwt-orjson:0.11.0:deprecated), if you are compiling against these classes directly, otherwise you will be unaffected.

    ⚠ Backwards Compatibility Warning

    📦 Due to this package move, if you are currently using one of the above four existing (pre 0.11.0) classes with compile scope, you must either:

    1. change your code to use the newer package classes (recommended), or
    2. change your build/dependency configuration to use the deprecated dependency classifier to use the existing classes, as follows:




    compile 'io.jsonwebtoken:jjwt-jackson:0.11.0:deprecated'

    Note: that the first option is recommended since the second option will not be available starting with the 1.0 release.

  • v0.10.8 Changes

    🚀 This patch release:

    • Ensures that SignatureAlgorithms PS256, PS384, and PS512 work properly on JDK 11 and later without the need for BouncyCastle. Previous releases referenced a BouncyCastle-specific algorithm name instead of the Java Security Standard Algorithm Name of RSASSA-PSS. This release ensures the standard name is used moving forward.

    • 🛠 Fixes a backwards-compatibility bug when parsing compressed JWTs created from 0.10.6 or earlier using the DEFLATE compression algorithm.

  • v0.10.7 Changes

    🚀 This patch release:

    • ➕ Adds a new Community section in the documentation discussing asking questions, using Slack and Gittr, and opening new issues and pull requests.
    • 🛠 Fixes a memory leak found in the DEFLATE compression codec implementation.
    • 🚀 Updates the Jackson dependency version to 🔒 to address three security vulnerabilities in Jackson: CVE-2019-12086, CVE-2019-12384, and CVE-2019-12814.
    • 🛠 Fixes a bug when Jackson is in the classpath but the jjwt-jackson .jar is not.
    • 🛠 Fixes various documentation and typo fixes.
  • v0.10.6 Changes

    🚑 This patch release updates the jackson-databind version to 2.9.8 to address a critical security vulnerability in that library.

  • v0.10.5 Changes

    🚀 This patch release fixed an Android org.json library compatibility issue.

  • v0.10.4 Changes

    🚀 This patch release fixed an outstanding issue with JCA name 🚀 case-sensitivity that impacted Android that was not caught in the 0.10.3 release.

  • v0.10.3 Changes

    🚀 This is a minor patch release that fixed a key length assertion for SignatureAlgorithm.forSigningKey that was 📚 failing in Android environments. The Android dependencies and ProGuard exclusions documentation was updated as well to reflect Android Studio 3.0 conventions.