Skip to main content


Create and verify JSON Web Tokens with Deno or the browser.


Please use the native Web Crypto API to generate a secure CryptoKey.

const key = await crypto.subtle.generateKey(
  { name: "HMAC", hash: "SHA-512" },
  ["sign", "verify"],


Takes Header, Payload and CryptoKey and returns the url-safe encoded jwt.

import { create } from "$VERSION/mod.ts";

const jwt = await create({ alg: "HS512", typ: "JWT" }, { foo: "bar" }, key);


Takes jwt, CryptoKey and VerifyOptions and returns the Payload of the jwt if the jwt is valid. Otherwise it throws an Error.

import { verify } from "$VERSION/mod.ts";

const payload = await verify(jwt, key); // { foo: "bar" }
// Accepts an generic type argument optionally:
const payload = await verify<{ foo: string }>(jwt, key); // { foo: "bar" }


Takes a jwt and returns a 3-tuple [header: JsonValue, payload: JsonValue, signature: Uint8Array] if the jwt has a valid serialization. Otherwise it throws an Error. This function does not verify the digital signature.

import { decode } from "$VERSION/mod.ts";

const [header, payload, signature] = decode(jwt);


This helper function simplifies setting a NumericDate. It takes either a Date object or a number (in seconds) and returns the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time.

// A specific date:
const exp = getNumericDate(new Date("2025-07-01"));
// One hour from now:
const nbf = getNumericDate(60 * 60);


Expiration Time (exp)

The optional exp claim in the payload identifies the expiration time on or after which the JWT must not be accepted for processing. Its value must be a number containing a NumericDate value. This module checks if the current date/time is before the expiration date/time listed in the exp claim.

const jwt = await create(header, { exp: getNumericDate(60 * 60) }, key);

Not Before (nbf)

The optional nbf (not before) claim identifies the time before which the jwt must not be accepted for processing. Its value must be a number containing a NumericDate value.


The following signature and MAC algorithms have been implemented:

  • HS256 (HMAC SHA-256)
  • HS384 (HMAC SHA-384)
  • HS512 (HMAC SHA-512)
  • RS256 (RSASSA-PKCS1-v1_5 SHA-256)
  • RS384 (RSASSA-PKCS1-v1_5 SHA-384)
  • RS512 (RSASSA-PKCS1-v1_5 SHA-512)
  • PS256 (RSASSA-PSS SHA-256)
  • PS384 (RSASSA-PSS SHA-384)
  • PS512 (RSASSA-PSS SHA-512)
  • ES256 (ECDSA using P-256 and SHA-256)
  • ES384 (ECDSA using P-384 and SHA-384)
  • ES512 (ECDSA using P-521 and SHA-512)
  • none (Unsecured JWTs).


This application uses the JWS Compact Serialization only.



We welcome and appreciate all contributions to djwt.

A big Thank You to timreichen and all the other amazing contributors.