oidc-token-hash creates and validates OpenID Connect ID Token `*_hash` claims like `at_hash` and `c_hash`. It can generate the expected hash values and verify that a received `*_hash` matches the corresponding token, using the hash algorithm specified by the ID Token JOSE header `alg`.
Project status
- Maintenance status: Appears actively maintained, with an upstream GitHub push on 2026-05-22 and multiple recent updates across 2025.
- Update cadence: Not perfectly regular, but work is ongoing. The most recent tagged update shown is v5.2.0 (2025-11-04), and the repository still saw activity in May 2026, suggesting continued evolution after the last published tag.
AI summary generated
Recent updates
v5.2.0
This release primarily adds support for the ML-DSA JWS Algorithm Identifiers (ML-DSA-44, ML-DSA-65, ML-DSA-87) when generating and validating OIDC id_token _hash values. The implementation maps these algorithms to shake256 with a fixed output length, and corresponding test vectors and README documentation were updated. No publisher release notes were provided.
Featuresv5.1.1
Release v5.1.1 makes a small internal change around Ed448 hashing and updates CI workflow permissions. The code diff shows the library no longer conditionally checks for Node.js shake256 availability before using crypto.createHash('shake256').
Breakingv5.1.0
The publisher did not provide any release notes for v5.1.0, so there is no documented information about new functionality, fixes, or breaking changes. Developers should review the repository diff and changelog/commit history for this version to determine upgrade impact.
v5.0.3
This release is essentially a patch version bump to 5.0.3 with a small runtime change in the SHAKE256 feature-detection logic. There are no release notes provided, so the only changes we can rely on are from the actual diff.
v5.0.2
v5.0.2 primarily updates how the library detects Node.js version support for shake256/XOF output length, replacing deprecated string parsing. The release also includes CI workflow adjustments and starts committing a package-lock.json file.
v5.0.1
This release (v5.0.1) makes a small implementation change to how base64url values are produced, using Node.js native base64url encoding when available. It also updates development tooling and adjusts the CI test matrix.
v5.0.0
This release (v5.0.0) modifies the internal hashing logic used by oidc-token-hash, with a specific focus on EdDSA Ed448. It adds a runtime capability check for shake256 support and changes how shake256 is configured (output length) when computing hashes.
Breakingv4.0.0
This release (v4.0.0) makes a substantial API refactor and adds EdDSA support, including hashing behavior that depends on the EdDSA curve. Release notes from the publisher are missing, so the changes are effectively only discoverable by reading the code and README. The implementation also tightens validation semantics and changes what is exported from the package.
Featuresv3.0.2
Release v3.0.2 updates the implementation of OIDC token hash encoding and adjusts build/test configuration. The publisher did not provide release notes, so these changes are effectively undocumented from a release-notes perspective.
v3.0.1
Release v3.0.1 was published on 2018-05-17. No release notes were provided, so the changes included in this version are not documented in the publisher notes, and developers should review the diff/changelog in the repository to identify any potential compatibility or behavior changes.