java - JSON Web Token Support For The JVM does include impl, api and jackson?

Question

I need to use a dependency JWT in java for secure token authentication in my Java application. My question is. Do I need to use all 3 dependencies individual as :

    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt-api</artifactId>
        <version>0.11.0</version>
    </dependency>

    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt-impl</artifactId>
        <version>0.11.0</version>
        <scope>runtime</scope>
    </dependency>
    
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt-jackson</artifactId>
        <version>0.11.0</version>
        <scope>runtime</scope>
    </dependency>

Or I can use a single one who includes all of them :

    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>0.9.1</version>
    </dependency>

And why do I need to specify the scope at run-time when

Notice the above dependency declarations all have only one compile-time dependency and the rest are declared as runtime dependencies.

This is because JJWT is designed so you only depend on the APIs that are explicitly designed for you to use in your applications and all other internal implementation details - that can change without warning - are relegated to runtime-only dependencies. This is an extremely important point if you want to ensure stable JJWT usage and upgrades over time:

JJWT guarantees semantic versioning compatibility for all of its artifacts except the jjwt-impl .jar. No such guarantee is made for the jjwt-impl .jar and internal changes in that .jar can happen at any time. Never add the jjwt-impl .jar to your project with compile scope - always declare it with runtime scope.

Understanding JJWT Dependencies

question from:https://stackoverflow.com/questions/65934148/json-web-token-support-for-the-jvm-does-include-impl-api-and-jackson

Answer 1

Prior to the JJWT version 0.10.0, both the io.jsonwebtoken:jjwt-api and io.jsonwebtoken:jjwt-impl were packaged as a single artifact, io.jsonwebtoken:jjwt.

With release JJWT version 0.10.0, these have been split into two different artifcats.

from release notes of JJWT Release Notes, version 0.10.0:

BACKWARDS-COMPATIBILITY NOTICE:

JJWT's new modular design utilizes distinctions between compile and runtime dependencies to ensure you only depend on the public APIs that are safe to use in your application. All internal/private implementation classes have been moved to a new jjwt-impl runtime dependency.

If you depended on any internal implementation classes in the past, you have two choices:

Refactor your code to use the public-only API classes and interfaces in the jjwt-api .jar. Any functionality you might have used in the internal implementation should be available via newer cleaner interfaces and helper classes in that .jar.

Specify the new jjwt-impl .jar not as a runtime dependency but as a compile dependency. This would make your upgrade to JJWT 0.10.0 fully backwards compatible, but you do so at your own risk. JJWT will make NO semantic version compatibility guarantees in the jjwt-impl .jar moving forward. Semantic versioning will be very carefully adhered to in all other JJWT dependencies however.