hono icon indicating copy to clipboard operation
hono copied to clipboard
verified publisher icon honojs

jwt none algorithm support

Open vickyRathee opened this issue 7 months ago • 1 comments

What is the feature you are proposing?

Can we add alg: none support in jwt.sign()? Currently it support HS256... RS etc, but sometime we needs the none as well to comply with other APIs.

https://hono.dev/docs/helpers/jwt#supported-algorithmtypes

For example, I am integrating with PayPal and they want the jwt token with none algorithm

Image

vickyRathee avatar May 28 '25 07:05 vickyRathee

Hi, @vickyRathee

I’d be careful with adding alg: none to the core API. Since it creates unsigned tokens, it can easily be misused and introduce security risks. For cases where you need it (interop, testing, mocks, etc.), it’s usually better to use a third-party lib or manually build the token. That way the framework stays safe by default, but you still have a path when none is really required. If there is any issue with integrating and using 3rd party library, that should be mitigated.

Abhishek-jha-96 avatar Aug 16 '25 14:08 Abhishek-jha-96