diff --git a/jose/deno.json b/jose/deno.json
new file mode 100644
index 0000000..71ea3e4
--- /dev/null
+++ b/jose/deno.json
@@ -0,0 +1,5 @@
+{
+  "imports": {
+    "jose": "npm:jose@^5.9.6"
+  }
+}
diff --git a/jose/deno.lock b/jose/deno.lock
new file mode 100644
index 0000000..66d72cf
--- /dev/null
+++ b/jose/deno.lock
@@ -0,0 +1,17 @@
+{
+  "version": "4",
+  "specifiers": {
+    "npm:jose@*": "5.9.6",
+    "npm:jose@^5.9.6": "5.9.6"
+  },
+  "npm": {
+    "jose@5.9.6": {
+      "integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ=="
+    }
+  },
+  "workspace": {
+    "dependencies": [
+      "npm:jose@^5.9.6"
+    ]
+  }
+}
diff --git a/jose/jwe.ts b/jose/jwe.ts
new file mode 100644
index 0000000..baec27b
--- /dev/null
+++ b/jose/jwe.ts
@@ -0,0 +1,38 @@
+import {
+  compactDecrypt,
+  CompactEncrypt,
+  exportJWK,
+  generateKeyPair,
+  importJWK,
+} from "npm:jose";
+
+/*
+ * JWE_SECRET=$(openssl rand -base64 32) deno run -A jwe.ts
+ */
+
+const encryptionKey = await importJWK({
+  kty: "oct",
+  k: Deno.env.get("JWE_SECRET"),
+});
+
+const keyToEncrypt = await generateKeyPair("ES256", { extractable: true });
+const privateKeyJWK = await exportJWK(keyToEncrypt.privateKey);
+
+// encrypt
+const jwe = await new CompactEncrypt(
+  new TextEncoder().encode(JSON.stringify(privateKeyJWK)),
+)
+  .setProtectedHeader({
+    alg: "dir",
+    enc: "A256GCM",
+  })
+  .encrypt(encryptionKey);
+
+// decrypt
+const res = await compactDecrypt(jwe, encryptionKey);
+const jwk = JSON.parse(new TextDecoder().decode(res.plaintext));
+
+console.log({
+  jwe,
+  jwk,
+});