PHPackages                             divante-ltd/pimcore-jwt-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. divante-ltd/pimcore-jwt-auth

ActivePimcore-bundle[Authentication &amp; Authorization](/categories/authentication)

divante-ltd/pimcore-jwt-auth
============================

Module allowing to use JWT with Pimcore User object

v1.0.0(5y ago)01173[2 issues](https://github.com/DivanteLtd/pimcore-jwt-auth/issues)[1 PRs](https://github.com/DivanteLtd/pimcore-jwt-auth/pulls)GPL-3.0-or-laterPHPPHP &gt;=7.2

Since Sep 1Pushed 2y ago5 watchersCompare

[ Source](https://github.com/DivanteLtd/pimcore-jwt-auth)[ Packagist](https://packagist.org/packages/divante-ltd/pimcore-jwt-auth)[ Docs](https://divante.com)[ RSS](/packages/divante-ltd-pimcore-jwt-auth/feed)WikiDiscussions master Synced today

READMEChangelog (1)Dependencies (3)Versions (2)Used By (0)

JWT Auth
========

[](#jwt-auth)

This bundle provides JWT (Json Web Token) authentication for your Pimcore API. It is based on [`lexik/jwt-authentication-bundle`](https://packagist.org/packages/lexik/jwt-authentication-bundle)

It is compatible and tested with PHP 7 and Pimcore 6.

**Table of Contents**

- [JWT module](#jwt-module)
    - [Prerequisites](#prerequisites)
    - [Installation](#installation)
    - [Configuration](#configuration)
    - [Usage](#usage)
    - [Usage](#usage)
    - [Features](#features)
    - [Supported Pimcore types](#supported-types)
    - [Standards &amp; Code Quality](#standards)
    - [About Authors](#authors)

Prerequisites
-------------

[](#prerequisites)

This module requires Pimcore 6 and openssl extension.

Installation
------------

[](#installation)

Create User class in Pimcore:

[![Screenshot](doc/images/user-class.png)](doc/images/user-class.png)

Register dependencies in `app/AppKernel.php`:

```
  public function registerBundlesToCollection(BundleCollection $collection)
    {
        // ...
        if (class_exists('Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle')) {
            $collection->addBundle(new Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle());
        }
        if (class_exists('Nelmio\CorsBundle\NelmioCorsBundle')) {
            $collection->addBundle(new Nelmio\CorsBundle\NelmioCorsBundle());
        }
    }
```

Generate the SSH keys :

```
$ mkdir app/config/jwt
$ openssl genrsa -out app/config/jwt/private.pem -aes256 4096
$ openssl rsa -pubout -in app/config/jwt/private.pem -out config/jwt/public.pem
```

In case first `openssl` command forces you to input password use following to get the private key decrypted

```
$ openssl rsa -in app/config/jwt/private.pem -out config/jwt/private2.pem
$ mv app/config/jwt/private.pem config/jwt/private.pem-back
$ mv app/config/jwt/private2.pem config/jwt/private.pem
```

Configuration
-------------

[](#configuration)

Configure the SSH keys path in your `app/config/lexik_jwt_authentication.yaml` :

```
lexik_jwt_authentication:
    secret_key:       '%kernel.project_dir%/app/config/jwt/private.pem' # required for token creation
    public_key:       '%kernel.project_dir%/app/config/jwt/public.pem'  # required for token verification
    pass_phrase:      'your_secret_passphrase' # required for token creation, usage of an environment variable is recommended
    token_ttl:        3600
```

Configure CORS configuration in `app/config/nelmio_cors.yml` :

```
nelmio_cors:
  defaults:
    allow_credentials: false
    allow_origin: []
    allow_headers: []
    allow_methods: []
    expose_headers: []
    max_age: 0
    hosts: []
    origin_regex: false
    forced_allow_origin_value: ~
  paths:
    '^/api/':
      allow_origin: ['*']
      allow_headers: ['*']
      allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
      max_age: 3600
```

Configure your `app/config/security.yml` :

```
security:
    # ...

   providers:
       pimcore_user_provider:
         id: login_bundle.security.user_provider
     firewalls:
       login:
         pattern: ^/api/login
         stateless: true
         anonymous: true
         provider: pimcore_user_provider
         json_login:
           check_path:               /api/login
           success_handler:          lexik_jwt_authentication.handler.authentication_success
           failure_handler:          lexik_jwt_authentication.handler.authentication_failure

       api:
          pattern:   ^/api
          stateless: true
          provider: pimcore_user_provider
          guard:
            authenticators:
              - lexik_jwt_authentication.jwt_token_authenticator

     access_control:
       - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
       - { path: ^/api,       roles: IS_AUTHENTICATED_FULLY }
```

Configure yor `app/config/config.yml`:

```
imports:
    # ...
    - { resource: lexik_jwt_authentication.yml }
    - { resource: nelmio_cors.yml }
```

Configure your `config/routing.yml` :

```
api_login_check:
    path: /api/login
```

Usage
-----

[](#usage)

The first step is to authenticate the user using its credentials. A classical form\_login on an anonymously accessible firewall will do perfect.

Just set the provided `lexik_jwt_authentication.handler.authentication_success` service as success handler to generate the token and send it as part of a json response body.

Store it (client side), the JWT is reusable until its ttl has expired (3600 seconds by default). Create in Pimcore panel an object of class User and fill its credentials.

Note: You can test getting the token with a simple curl command like this:

```
curl -X POST -H "Content-Type: application/json" http://localhost/api/login -d '{"username":"admin","password":"test"}'
```

If it works, you will receive something like this:

```
{
   "token" : "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJleHAiOjE0MzQ3Mjc1MzYsInVzZXJuYW1lIjoia29ybGVvbiIsImlhdCI6IjE0MzQ2NDExMzYifQ.nh0L_wuJy6ZKIQWh6OrW5hdLkviTs1_bau2GqYdDCB0Yqy_RplkFghsuqMpsFls8zKEErdX5TYCOR7muX0aQvQxGQ4mpBkvMDhJ4-pE4ct2obeMTr_s4X8nC00rBYPofrOONUOR4utbzvbd4d2xT_tj4TdR_0tsr91Y7VskCRFnoXAnNT-qQb7ci7HIBTbutb9zVStOFejrb4aLbr7Fl4byeIEYgp2Gd7gY"
}
```

### Use the token

[](#use-the-token)

Simply pass the JWT on each request to the protected firewall, either as an authorization header or as a query parameter.

By default only the authorization header mode is enabled : `Authorization: Bearer {token}`

### About token expiration

[](#about-token-expiration)

Each request after token expiration will result in a 401 response. Redo the authentication process to obtain a new token.

Maybe you want to use a **refresh token** to renew your JWT. In this case you can check [JWTRefreshTokenBundle](https://github.com/gesdinet/JWTRefreshTokenBundle).

### More details

[](#more-details)

For more details head to [LexikJWTAuthenticationBundle](https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md)

Standards &amp; Code Quality
----------------------------

[](#standards--code-quality)

This module respects PSR-2 code quality rule and our own PHPCS and PHPMD rulesets.

About Authors
-------------

[](#about-authors)

[![Divante-logo](https://camo.githubusercontent.com/26f9f871adcff021301315055520017e8dd9a788b123f4d972edd25f62a2215a/68747470733a2f2f646976616e74652e636f6d2f7374617469632f696d672f6c6f676f2d6e65772e737667 "Divante")](https://camo.githubusercontent.com/26f9f871adcff021301315055520017e8dd9a788b123f4d972edd25f62a2215a/68747470733a2f2f646976616e74652e636f6d2f7374617469632f696d672f6c6f676f2d6e65772e737667)

We are a Software House from Europe, existing from 2008 and employing about 150 people. Our core competencies are built around Magento, Pimcore and bespoke software projects (we love Symfony3, Node.js, Angular, React, Vue.js). We specialize in sophisticated integration projects trying to connect hardcore IT with good product design and UX.

We work for Clients like INTERSPORT, ING, Odlo, Onderdelenwinkel and CDP, the company that produced The Witcher game. We develop two projects: [Open Loyalty](http://www.openloyalty.io/ "Open Loyalty") - an open source loyalty program and [Vue.js Storefront](https://github.com/DivanteLtd/vue-storefront "Vue.js Storefront").

We are part of the OEX Group which is listed on the Warsaw Stock Exchange. Our annual revenue has been growing at a minimum of about 30% year on year.

Visit our website [Divante.co](https://divante.com/ "Divante.com") for more information.

###  Health Score

25

—

LowBetter than 35% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity12

Limited adoption so far

Community11

Small or concentrated contributor base

Maturity50

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

2131d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/1809664?v=4)[Kuba Płaskonka](/maintainers/kubaplas)[@kubaplas](https://github.com/kubaplas)

---

Top Contributors

[![mbolka](https://avatars.githubusercontent.com/u/31479820?v=4)](https://github.com/mbolka "mbolka (2 commits)")

---

Tags

jwtpimcorepimcore-plugin

### Embed Badge

![Health badge](/badges/divante-ltd-pimcore-jwt-auth/health.svg)

```
[![Health](https://phpackages.com/badges/divante-ltd-pimcore-jwt-auth/health.svg)](https://phpackages.com/packages/divante-ltd-pimcore-jwt-auth)
```

###  Alternatives

[firebase/php-jwt

A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.

10.0k478.8M2.7k](/packages/firebase-php-jwt)[lcobucci/jwt

A simple library to work with JSON Web Token and JSON Web Signature

7.6k338.7M1.1k](/packages/lcobucci-jwt)[tymon/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

11.7k51.8M370](/packages/tymon-jwt-auth)[namshi/jose

JSON Object Signing and Encryption library for PHP.

1.8k103.2M103](/packages/namshi-jose)[coreshop/core-shop

CoreShop - Pimcore eCommerce

292205.0k11](/packages/coreshop-core-shop)[web-token/jwt-library

JWT library

2015.4M132](/packages/web-token-jwt-library)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
