Matios.Security 0.1.1

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher. 
dotnet add package Matios.Security --version 0.1.1
                    


                    

                
NuGet\Install-Package Matios.Security -Version 0.1.1
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Matios.Security" Version="0.1.1" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Matios.Security" Version="0.1.1" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Matios.Security" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Matios.Security --version 0.1.1
                    


                    

                
#r "nuget: Matios.Security, 0.1.1"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Matios.Security@0.1.1
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Matios.Security&version=0.1.1
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Matios.Security&version=0.1.1
                    


                            Install as a Cake Tool

Matios.Security

Dependency-free JOSE + JWT for .NET — built only on the BCL.

JWE (RFC 7516) · JWS (RFC 7515) · JWT (RFC 7519) · Nested JWT

What is JOSE?

JOSEJSON Object Signing and Encryption — is the IETF standards family behind modern web tokens:

RFC Piece What it does
7515 JWS Signed content — integrity + authenticity
7516 JWE Encrypted content — confidentiality
7517 JWK Keys represented as JSON
7518 JWA The algorithm catalog the others reference
7519 JWT Claims (tokens) built on top of JWS/JWE

Why Matios.Security

  • Zero dependencies. Built only on System.Security.Cryptography and System.Text.Json — nothing else, ever.
  • It encrypts what Microsoft's stack cannot. Microsoft.IdentityModel.* can decrypt JWE A256GCM but cannot issue it (IDX10715), and cannot decrypt it at all on Linux/macOS. This library issues and consumes dir+A256GCM on every platform — and interops with Microsoft.IdentityModel for validation (covered by tests).
  • Strict by design. Closed algorithm enums (no magic strings, no alg:"none"), caller-side algorithm whitelists — the token header never decides on its own. zip rejected, unknown crit rejected, duplicate header/claim names rejected.
  • Anti-oracle errors. One generic exception; the fine-grained failure code is for server-side logging only.

Quick start

using Matios.Security.Jose;
using Matios.Security.Jwt;

// Use DIFFERENT keys for signing and encryption. Minimum 256 bits.
SymmetricJoseKey signingKey = SymmetricJoseKey.FromBase64Url(signingKeyB64, "sig-2026");
SymmetricJoseKey encryptionKey = SymmetricJoseKey.FromBase64Url(encryptionKeyB64, "enc-2026");

// Signed JWT (JWS) — add ONE line to make it encrypted (Nested JWT)
string token = new JwtBuilder()
    .Issuer("my-platform")
    .Audience("my-api")
    .Subject(userId)
    .IdAuto()
    .Lifetime(TimeSpan.FromMinutes(30))
    .Claim("RoleId", 7)                     // private claims: any JSON-serializable value
    .SignWith(signingKey)
    .EncryptWith(encryptionKey)             // JWE dir+A256GCM outside, signature inside
    .Create();

// Validation
JwtClaims claims = JwtValidator.Validate(token, new JwtValidationParameters
{
    SigningKey = signingKey,
    DecryptionKey = encryptionKey,   // set => token MUST be JWE (no silent downgrade)
    ValidIssuer = "my-platform",
    ValidAudience = "my-api"
});

long roleId = claims.GetClaim<long>("RoleId");

Scope — deliberately minimal

Supported (v0.x) Not supported, by design
JWE Compact dir + A256GCM zip (compression oracle) — rejected, ever
JWS Compact HS256 alg: "none" — does not exist in the API
Nested JWT (cty:"JWT") JSON Serialization / multi-recipient
JWK kty:"oct" key input RSA-OAEP / ECDH-ES / A256KW / RS256 (future, if real interop demands them)

Everything implemented is conformant and covered by tests; everything outside the profile is cleanly rejected.

Conformance evidence

  • Official RFC 7515 Appendix A.1 HS256 vector (accept + tampered-reject).
  • Bidirectional interop against Microsoft.IdentityModel.JsonWebTokens (an independent implementation), with canary tests pinning its two A256GCM limitations.
  • Strict negative suite: zip, crit, algorithm confusion, none, tampered AAD/tag, duplicate names, oversized tokens, undersized keys.
  • 49 tests, all green on Ubuntu and Windows, on every CI run.
Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

  • net10.0

    • No dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.1.1 92 6/12/2026