--- a/xml/en/docs/http/ngx_http_auth_jwt_module.xml	Tue Apr 20 17:49:29 2021 +0300
+++ b/xml/en/docs/http/ngx_http_auth_jwt_module.xml	Mon Apr 26 12:52:35 2021 +0100
@@ -18,9 +18,11 @@
 implements client authorization by validating the provided
 <link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT)
 using the specified keys.
-JWT claims must be encoded in a
+JWT claims can be encoded in a
 <link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS)
-structure.
+or
+<link url="https://tools.ietf.org/html/rfc7516">JSON Web Encryption</link> (JWE)
+(1.19.7) structure.
 The module can be used for
 <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link>
 authentication.
@@ -37,9 +39,24 @@
 </para>
 
 <para>
-The module supports the following cryptographic
-<link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">algorithms</link>:
+<note>
+This module is available as part of our
+<commercial_version>commercial subscription</commercial_version>.
+</note>
+</para>
+
+</section>
+
 
+<section id="algorithms" name="Supported Algorithms">
+
+<para>
+The module supports the following JSON Web
+<link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">Algorithms</link>.
+</para>
+
+<para>
+JWS algorithms:
 <list type="bullet">
 
 <listitem>
@@ -60,15 +77,44 @@
 
 </list>
 
+<note>
 Prior to version 1.13.7,
 only HS256, RS256, ES256 algorithms were supported.
+</note>
 </para>
 
 <para>
-<note>
-This module is available as part of our
-<commercial_version>commercial subscription</commercial_version>.
-</note>
+JWE content encryption algorithms (1.19.7):
+<list type="bullet">
+
+<listitem>
+A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
+</listitem>
+
+<listitem>
+A128GCM, A192GCM, A256GCM
+</listitem>
+
+</list>
+</para>
+
+<para>
+JWE key management algorithms (1.19.9):
+<list type="bullet">
+
+<listitem>
+A128KW, A192KW, A256KW
+</listitem>
+
+<listitem>
+A128GCMKW, A192GCMKW, A256GCMKW
+</listitem>
+
+<listitem>
+dir&mdash;direct use of a shared symmetric key as the content encryption key
+</listitem>
+
+</list>
 </para>
 
 </section>
@@ -149,6 +195,14 @@
 </note>
 </para>
 
+<para>
+<note>
+Variable values for tokens encrypted with JWE
+are available only after decryption which occurs during the
+<link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase.
+</note>
+</para>
+
 </directive>
 
 
@@ -249,6 +303,24 @@
 
 </directive>
 
+
+<directive name="auth_jwt_type">
+<syntax><value>signed</value> | <value>encrypted</value></syntax>
+<default>signed</default>
+<context>http</context>
+<context>server</context>
+<context>location</context>
+<context>limit_except</context>
+<appeared-in>1.19.7</appeared-in>
+
+<para>
+Specifies which type of JSON Web Token to expect:
+JWS (<literal>signed</literal>) or
+JWE (<literal>encrypted</literal>).
+</para>
+
+</directive>
+
 </section>
 
 
@@ -277,6 +349,12 @@
 the value of the variable cannot be evaluated;
 the <link id="auth_jwt_claim_set"/> directive should be used instead.
 </para>
+
+<para>
+Variable values for tokens encrypted with JWE
+are available only after decryption which occurs during the
+<link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase.
+</para>
 </tag-desc>
 
 </list>