Skip to content
Connect2id
JOSE

Nimbus JOSE+JWT roadmap for 2026 and Beyond

As the JOSE ecosystem continues to evolve, we are now in a phase where modern cryptography is being reshaped by two trends: the transition to post-quantum security and the increasing need for verifiable software supply chains. Our updated 2026+ roadmap for the Nimbus JOSE+JWT library focuses on both.

Post-Quantum JOSE

The IETF is finalising several JOSE and COSE specifications that bring post-quantum digital signatures and key-establishment into mainstream use. Nimbus JOSE+JWT will track these developments:

  • ML-DSA (Dilithium) and SLH-DSA (SPHINCS+) for JWS, based on the NIST FIPS 204 and 205 families.

  • Hybrid Public Key Encryption (HPKE) and Module-Lattice-based KEMs (ML-KEMs) for JWE, enabling quantum-resistant and hybrid encryption setups.

An immediate task on the roadmap is the update to fully specified algorithm identifiers (e.g., Ed25519/Ed448 via RFC 9864).

These additions prepare Nimbus JOSE+JWT for the long transition period where classical, hybrid, and post-quantum primitives will coexist.

Verified and Reproducible Builds

Security today extends beyond cryptographic algorithms - it includes the trustworthiness of the software supply chain itself. Our aims:

  • Reproducible builds, ensuring that anyone can rebuild a release from source and obtain identical artifacts.

  • Build attestations, providing cryptographically signed provenance that records how each artifact was produced, down to the commit and CI environment.

This combination lets downstream dependents and auditors independently verify both the integrity and the authenticity of every published library binary.

Nice to have

Alongside PQC and verified builds, a list of nice-to-have features:

  • A pluggable JSON SPI to enable developers to replace the shaded JSON dependency.

  • A fluent API for creating and processing JOSE objects and JWTs.

  • New logging and metrics extension points.

  • Annotations for modelling claim sets directly from Java objects.

  • A benchmark suite to measure the performance of JWS/JWE algorithms and HSM-backed JCA providers.

Survey of projects that depend on Nimbus JOSE+JWT

Since its inception in 2012, adoption of the Nimbus JOSE+JWT library has grown steadily. To gain a rough picture of its ecosystem reach, we conducted a small survey across GitHub, Bitbucket, and Maven Central to identify publicly visible projects that depend on it.

For the current 10.5 release, Maven Central lists 1228 software artifacts that declare a dependency on Nimbus JOSE+JWT.

Here is a selected list of dependents in a range of domains, including cloud infrastructure, popular open-source projects, commercial products, and e-government platforms.