jaguar_jwt 2.1.6

  • Readme
  • Changelog
  • Example
  • Installing
  • 94

Build Status

jaguar_jwt #

JWT utilities for Dart and Jaguar.dart

This library can be used to generate and process JSON Web Tokens (JWT). For more information about JSON Web Tokens, see RFC 7519.

Currently, only the HMAC SHA-256 algorithm is supported to generate/process a JSON Web Signature (JWS).

Usage #

Issuing a JWT #

  final key = 's3cr3t';
  final claimSet = new JwtClaim(
      subject: 'kleak',
      issuer: 'teja',
      audience: <String>['', ''],
      otherClaims: <String,dynamic>{
        'typ': 'authnresponse',
        'pld': {'k': 'v'}},
      maxAge: const Duration(minutes: 5));

  String token = issueJwtHS256(claimSet, key);

Processing a JWT #

To process a JWT:

  1. Verify the signature and extract the claim set.
  2. Validate the claim set.
  3. Extract claims from the claim set.
  try {
    final JwtClaim decClaimSet = verifyJwtHS256Signature(token, key);
    // print(decClaimSet);

    decClaimSet.validate(issuer: 'teja', audience: '');

    if (claimSet.jwtId != null) {
    if (claimSet.containsKey('typ')) {
      final v = claimSet['typ'];
      if (v is String) {
      } else {

  } on JwtException {

Configuration #

JwtClaimSet #

JwtClaimSet is the model to holds JWT claim set information.

These are the registered claims:

  1. issuer
    Authority issuing the token. This will be used during authorization to verify that expected issuer has issued the token. Fills the iss field of the JWT.
  2. subject
    Subject of the token. Usually stores the user ID of the user to which the token is issued. Fills the sub field of the JWT.
  3. audience
    List of audience that accept this token. This will be used during authorization to verify that JWT has expected audience for the service. Fills aud field in JWT.
  4. expiry
    Time when the token becomes no longer acceptable for process. Fills exp field in JWT.
  5. notBefore
    Time when the token becomes acceptable for processing. Fills the nbf field in the JWT.
  6. issuedAt
    Time when the token was issued. Fills the iat field in the JWT.
  7. jwtId
    Unique identifier across services that identifies the token. Fills jti field in JWT.

Additional claims may also be included in the JWT.

Changelog #

2.1.6 #

  • Added support for optional Not Before (nbf) time claims.
  • Fixed validation to reject token when current time equals the Expiry time.
  • Added more validation unit tests.
  • Fixed generation of JWT to use correct Base64url Encoding.
  • Added general support for non-registered claims.
  • Tidy up for static analysis and Dart linter.
  • Implemented toString method for JwtClaim.
  • Allow for customized checking of the JWT header.
  • Fixed use of _splayify/_spaly in toJson and changed dynamic to Object.
  • Improved format of output produced by JwtClaim.toString().

2.1.2 #

  • Fixed when typ is not present

2.1.1 #

  • Dart 2 compatibility


import 'dart:math';

import 'package:jaguar_jwt/jaguar_jwt.dart';

const String sharedSecret = 's3cr3t';

void main() {
  final jwt = senderCreatesJwt();

String senderCreatesJwt() {
  // Create a claim set

  final claimSet = new JwtClaim(
      issuer: 'teja',
      subject: 'kleak',
      audience: <String>['', ''],
      jwtId: _randomString(32),
      otherClaims: <String, dynamic>{
        'typ': 'authnresponse',
        'pld': {'k': 'v'}
      maxAge: const Duration(minutes: 5));

  // Generate a JWT from the claim set

  final token = issueJwtHS256(claimSet, sharedSecret);

  print('JWT: "$token"\n');

  return token;

void receiverProcessesJwt(String token) {
  try {
    // Verify the signature in the JWT and extract its claim set
    final decClaimSet = verifyJwtHS256Signature(token, sharedSecret);
    print('JwtClaim: $decClaimSet\n');

    // Validate the claim set

    decClaimSet.validate(issuer: 'teja', audience: '');

    // Use values from claim set

    if (decClaimSet.subject != null) {
      print('JWT ID: "${decClaimSet.jwtId}"');
    if (decClaimSet.jwtId != null) {
      print('Subject: "${decClaimSet.subject}"');
    if (decClaimSet.issuedAt != null) {
      print('Issued At: ${decClaimSet.issuedAt}');
    if (decClaimSet.containsKey('typ')) {
      final dynamic v = decClaimSet['typ'];
      if (v is String) {
        print('typ: "$v"');
      } else {
        print('Error: unexpected type for "typ" claim');
  } on JwtException catch (e) {
    print('Error: bad JWT: $e');

String _randomString(int length) {
  const chars =
  final rnd = new Random(new;
  final buf = new StringBuffer();

  for (var x = 0; x < length; x++) {
  return buf.toString();

Use this package as a library

1. Depend on it

Add this to your package's pubspec.yaml file:

  jaguar_jwt: ^2.1.6

2. Install it

You can install packages from the command line:

with pub:

$ pub get

with Flutter:

$ flutter pub get

Alternatively, your editor might support pub get or flutter pub get. Check the docs for your editor to learn more.

3. Import it

Now in your Dart code, you can use:

import 'package:jaguar_jwt/jaguar_jwt.dart';
Describes how popular the package is relative to other packages. [more]
Code health derived from static analysis. [more]
Reflects how tidy and up-to-date the package is. [more]
Weighted score of the above. [more]
Learn more about scoring.

We analyzed this package on Jan 20, 2020, and provided a score, details, and suggestions below. Analysis was completed with status completed using:

  • Dart: 2.7.0
  • pana: 0.13.4

Health suggestions

Fix lib/src/claim.dart. (-4.89 points)

Analysis of lib/src/claim.dart reported 10 hints, including:

line 76 col 20: Use = to separate a named parameter from its default value.

line 342 col 7: DO use curly braces for all flow control structures.

line 376 col 7: DO use curly braces for all flow control structures.

line 382 col 7: DO use curly braces for all flow control structures.

line 387 col 7: DO use curly braces for all flow control structures.

Fix lib/src/exception.dart. (-4.41 points)

Analysis of lib/src/exception.dart reported 9 hints, including:

line 15 col 7: Avoid const keyword.

line 19 col 7: Avoid const keyword.

line 23 col 7: Avoid const keyword.

line 27 col 7: Avoid const keyword.

line 31 col 7: Avoid const keyword.


Package Constraint Resolved Available
Direct dependencies
Dart SDK >=2.0.0-dev.65 <3.0.0
auth_header ^2.1.1 2.1.4
crypto ^2.0.5 2.1.4
Transitive dependencies
charcode 1.1.2
collection 1.14.12
convert 2.1.1
typed_data 1.1.6
Dev dependencies
test ^1.3.0