Create and verify JSON Web Tokens.

JSON Web Token


Takes a header, payload and key and returns the url-safe encoded jwt.

import { create } from "$VERSION/djwt/mod.ts"

const jwt = await create({ alg: "HS512", typ: "JWT" }, { foo: "bar" }, "secret")
// eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.WePl7achkd0oGNB8XRF_LJwxlyiPZqpdNgdKpDboAjSTsWq-aOGNynTp8TOv8KjonFym8vwFwppXOLoLXbkIaQ


Takes a jwt, key and an algorithm and returns the payload of the jwt if the jwt is valid. Otherwise it throws an Error.

import { verify } from "$VERSION/djwt/mod.ts"

const payload = await verify(jwt, "secret", "HS512") // { foo: "bar" }


Takes a jwt to return an object with the header, payload and signature properties if the jwt is valid. Otherwise it throws an Error.

import { decode } from "$VERSION/djwt/mod.ts"

const jwt =

const { payload, signature, header } = await decode(jwt)
// { header: { alg: "HS512", typ: "JWT" }, payload: { foo: "bar" }, signature: "59e3e5eda72191dd2818d07c5d117f2c9c3197288f66aa5d36074aa436e8023493b16abe68e18dca74e9f133aff0a8e89c5ca6f2fc05c29a5738ba0b5db90869" }


Expiration Time (exp)

The optional exp claim in the payload (number of seconds since January 1, 1970, 00:00:00 UTC) that identifies the expiration time on or after which the JWT must not be accepted for processing. This module checks if the current date/time is before the expiration date/time listed in the exp claim.

const oneHour = 60 * 60
const jwt = await create(header, { exp: / 1000 + oneHour }, "secret")


We export the helper function getNumericDate which simplifies setting an expiration date. It takes either an Date object or a number (in seconds) as argument.

// A specific date:
getNumericDate(new Date("2025-07-01"))
// One hour from now:
getNumericDate(60 * 60)

Not Before (nbf)

The optional nbf (not before) claim identifies the time before which the jwt must not be accepted for processing. Its value must be a number containing a NumericDate value like the exp claim does.


The following signature and MAC algorithms have been implemented:

  • HS256 (HMAC SHA-256)
  • HS512 (HMAC SHA-512)
  • RS256 (RSASSA-PKCS1-v1_5 SHA-256)
  • none (Unsecured JWTs).


This application uses the JWS Compact Serialization only.