v3.4.0 · null-safe · all algorithms

JSON Web Tokens
for Dart, done right.

An easy-to-use JWT (RFC 7519) implementation for Dart. Sign, decode and verify — every standard algorithm, in just a few lines.

$ get started→view on pub.dev↗

800K+ downloads

357 likes

MIT licensed

14 algorithms

— zsh — dart_jsonwebtoken demo —

↻ click to replay

➜ ~/auth

pub

$dart pub add dart_jsonwebtoken

§ quickstart

Three functions and keys. That's the whole API.

sign, decode, verify — one call each, no setup, no boilerplate. Pick an algorithm, pass your key, ship.

sign.dart

dart 3.x

// 1. Build a JWT with your payload.
final jwt = JWT({
  'id': 123,
  'server': {
    'id': '3e4fc296',
    'loc': 'euw-2',
  },
});
// 2. Sign it (default HS256).
final token = jwt.sign(SecretKey('secret passphrase'));
print('Signed: $token');

§ capabilities

Ships with everything the spec requires.

RFC 7519 compliant. The only JWT library you need for anything written in Dart — from Flutter apps to backend services.

001 —

All standard algorithms

14 algorithms covered: HMAC (256/384/512), RSA-PKCS1, RSA-PSS, ECDSA (incl. secp256k1), and EdDSA on ed25519.

002 —

Symmetric & asymmetric keys

Load secrets, PEM private keys or public keys from certificates. Sane constructors, typed errors.

003 —

Typed exceptions

JWTExpiredException, JWTInvalidException, JWTParseException — pattern-match in your control flow.

004 —

Claim helpers

First-class support for iss, sub, aud, exp, nbf, iat and jti. Validated at verify time.

005 —

Zero ceremony

One import, one factory. Sign a token in four lines, verify one in three. No configuration object tree.

006 —

Runs everywhere Dart does

Flutter mobile, Flutter web, Dart VM server, Dart CLI. Single pub.dev package, cross-platform.

§ algorithms

14 signing algorithms. Pick your threat model.

Full coverage of the JWA spec (RFC 7518) and the EdDSA extension (RFC 8037) — HMAC, RSA, RSA-PSS, ECDSA and EdDSA. Whatever your stack already trusts, dart_jsonwebtoken signs and verifies it out of the box.

hash → ↓ family	SHA-256 standard	SHA-384 stronger	SHA-512 strongest	secp256k1 bitcoin curve
HMAC symmetric secret Fast shared-secret signatures	HS256	HS384	HS512	—
RSA PKCS#1 v1.5 Classic asymmetric signatures	RS256	RS384	RS512	—
RSA-PSS probabilistic Modern RSA with random salt	PS256	PS384	PS512	—
ECDSA elliptic curve Compact signatures, NIST curves	ES256 P-256	ES384 P-384	ES512 P-521	ES256K secp256k1
EdDSA edwards curve State-of-the-art, deterministic	—	—	EdDSA ed25519	—

§ playground

Decode and encode JWTs, live.

The real dart_jsonwebtoken package running in your browser — compiled to JavaScript. Sign and verify with every algorithm the library supports.

loading dart…alg

Encoded Token

—

✗

Decoded Header

—

Decoded Payload

—

Secret — verify

Shared secret:

§ frequently asked

Questions that come up often.

Yes. The package is pure Dart and runs on the VM, Flutter mobile, Flutter desktop, and Flutter web. Asymmetric algorithms rely on pointycastle, which is cross-platform.

All standard JWA algorithms: HS256/384/512, RS256/384/512, PS256/384/512, ES256/256K/384/512, and EdDSA on ed25519. Fourteen in total.

The verify() call throws JWTExpiredException for expired tokens and JWTException for invalid signatures. Catch them separately to return proper HTTP status codes.

Yes — use JWT.decode(token) to inspect the header and payload. Never use it for authorization; always call JWT.verify() for tokens you trust.

Pass PEM content as a string to RSAPrivateKey, RSAPublicKey, ECPrivateKey, ECPublicKey, or EdDSA* constructors. Use RSAPublicKey.cert() to extract from an X.509 certificate.

Yes. The library produces fully spec-compliant JWTs per RFC 7519, so tokens round-trip cleanly with jwt.io and every other compliant implementation.

Open an issue on the GitHub repository linked from the pub.dev listing. Bug reports, feature requests, and PRs are all welcome.

JSON Web Tokensfor Dart, done right.