basebox-tech · rb090 · Sep 24, 2025
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,13 +10,22 @@ authors = ["Markus Thielen <markus.thielen@basebox.tech>"]
 keywords = ["jose", "jwt", "openid-connect", "crypto"]
 description = "A simple to use, well documented JWT validation library, mainly for validating OpenID Connect ID Tokens."
 
+[features]
+# Keep current behavior as default (OpenSSL via `native-tls).
+default = ["tls-native"]
+# Re-export reqwest's TLS backends as features.
+# Users of the library can enable `tls-rustls` (Rustls) if they prefer using it for TLS handling over OpenSSL with `native-tls`.
+tls-native = ["reqwest/native-tls"]
+tls-rustls = ["reqwest/rustls-tls"]
+
 [dependencies]
 url = { version = "2.1" }
 thiserror = "1.0"
 base64 = "0.21"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-reqwest = { version = "0.12" }
+# Turn off `reqwest` defaults to control the TLS feature surface with the `features` setup for  tls.
+reqwest = { version = "0.12", default-features = false }
 ring = { version = "0.17.13", features = ["std"] }
 simple_asn1 = "0.6.2"
 pem = "3.0.1"

diff --git a/README.md b/README.md
@@ -187,6 +187,20 @@ async fn main() {
 }
 ```
 
+### TLS backend configuration (`native-tls` vs `rustls`)
+
+By default, `bbjwt` uses OpenSSL via `native-tls` (the default `reqwest` TLS backend).
+It can be overriden with Rusttls instead, which is a pure-Rust TLS implementation, by enabling the `tls-rustls feature:
+
+```
+bbjwt = { version = "0.x.y", default-features = false, features = ["tls-rustls"] }
+```
+
+To stick with the default OpenSSL-based setup, `bbjwt` should be declared as a regular dependency:
+
+```
+bbjwt = "0.x.y"
+```
 
 Copyright (c) 2022 basebox GmbH, all rights reserved.