PHPackages emarref/jwt - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. emarref/jwt AbandonedArchivedLibrary[Security](/categories/security) emarref/jwt =========== A JWT implementation 1.0.3(9y ago)94739.7k↓11.8%18[1 PRs](https://github.com/emarref/jwt/pulls)7MITPHPPHP >=5.4 Since Nov 4Pushed 7y ago14 watchersCompare [ Source](https://github.com/emarref/jwt)[ Packagist](https://packagist.org/packages/emarref/jwt)[ RSS](/packages/emarref-jwt/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (6)Dependencies (1)Versions (12)Used By (7) An implementation of the [JSON Web Token (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30) draft in PHP. See [jwt.io](http://jwt.io/) for more information on JWT. [![Build Status](https://camo.githubusercontent.com/1ba89797c20748b0b475a69503b05e365f37971a2e6121f14fe72e4c59da3784/68747470733a2f2f7472617669732d63692e6f72672f656d61727265662f6a77742e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/emarref/jwt) [![Scrutinizer Code Quality](https://camo.githubusercontent.com/25d81639f364963c03a9a7995a30c819991c1d4d41dccb54cbfcf49a091f9184/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f656d61727265662f6a77742f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/emarref/jwt/?branch=master) Features include: - Token serialization - Token deserialization - Token verification - `aud`, `exp`, `iss`, `nbf`, `sub` claims are verified - Symmetric Encryption - `NONE`, `HS256`, `HS384`, `HS512` algorithms supported - Asymmetric Encryption - `RS256`, `RS384`, `RS512` algorithms supported - `ES256`, `ES384`, `ES512`, `PS256`, `PS384`, `PS512` algorithms are planned > ⚠️ Versions of this library up to and including v1.0.2 are susceptible to timing attacks when using Symmetric encryption. See [\#20](https://github.com/emarref/jwt/pull/20) for more information. Please update to >= v1.0.3 as soon as possible to address this vulnerability. This library is not susceptible to a common [encryption vulnerability](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/). Installation ------------ [](#installation) ``` composer require emarref/jwt ``` Usage ----- [](#usage) Create an instance of the `Emarref\Jwt\Token` class, then configure it. ``` use Emarref\Jwt\Claim; $token = new Emarref\Jwt\Token(); // Standard claims are supported $token->addClaim(new Claim\Audience(['audience_1', 'audience_2'])); $token->addClaim(new Claim\Expiration(new \DateTime('30 minutes'))); $token->addClaim(new Claim\IssuedAt(new \DateTime('now'))); $token->addClaim(new Claim\Issuer('your_issuer')); $token->addClaim(new Claim\JwtId('your_id')); $token->addClaim(new Claim\NotBefore(new \DateTime('now'))); $token->addClaim(new Claim\Subject('your_subject')); // Custom claims are supported $token->addClaim(new Claim\PublicClaim('claim_name', 'claim_value')); $token->addClaim(new Claim\PrivateClaim('claim_name', 'claim_value')); ``` To use a token, create a JWT instance. ``` $jwt = new Emarref\Jwt\Jwt(); ``` To retrieve the encoded token for transfer, call the `serialize()` method. ``` $algorithm = new Emarref\Jwt\Algorithm\None(); $encryption = Emarref\Jwt\Encryption\Factory::create($algorithm); $serializedToken = $jwt->serialize($token, $encryption); ``` The `$serializedToken` variable now contains the unencrypted base64 encoded string representation of your token. To encrypt a token, pass an instance of `Emarref\Jwt\Encryption\EncryptionInterface` to the `serialize()` method as the second argument. ``` $algorithm = new Emarref\Jwt\Algorithm\Hs256('verysecret'); $encryption = Emarref\Jwt\Encryption\Factory::create($algorithm); $serializedToken = $jwt->serialize($token, $encryption); ``` An example of using Rs256 encryption with a key pair can be found in the wiki - [Using RS256 Encryption](https://github.com/emarref/jwt/wiki/Using-RS256-Encryption). To use a serialized token, first deserialize it into a `Emarref\Jwt\Token` object using a `Jwt` instance. ``` $token = $jwt->deserialize($serializedToken); ``` To verify a token's claims, first set up the context that should be used to verify the token against. Encryption is the only required verification. ``` $context = new Emarref\Jwt\Verification\Context($encryption); $context->setAudience('audience_1'); $context->setIssuer('your_issuer'); ``` Then use the `verify()` method on a `Jwt` instance. ``` try { $jwt->verify($token, $context); } catch (Emarref\Jwt\Exception\VerificationException $e) { echo $e->getMessage(); } ``` Testing ------- [](#testing) This library uses PHPUnit for unit testing. Make sure you've run `composer install` then call: ``` ./bin/phpunit ./test ``` Further Reading --------------- [](#further-reading) - [JSON Web Encryption (JWE)](https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-36) - [JSON Web Signature (JWS)](https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-36) - [JSON Web Algorithms (JWA)](https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-36) - [JSON Web Key (JWK)](https://tools.ietf.org/html/draft-ietf-jose-json-web-key-36) - ### Health Score 44 — FairBetter than 92% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity52 Moderate usage in the ecosystem Community27 Small or concentrated contributor base Maturity65 Established project with proven stability Bus Factor1 Top contributor holds 93.8% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~111 days Recently: every ~128 days Total 7 Last Release 3542d ago Major Versions 0.1.1 → 1.0.02015-09-02 ### Community Maintainers ![](https://www.gravatar.com/avatar/c5854d7f23e12434f4eef7d4a3745f7a8776150ae66e633ea5b533c0a8b2b5cb?d=identicon)[emarref](/maintainers/emarref) --- Top Contributors [![emarref](https://avatars.githubusercontent.com/u/556594?v=4)](https://github.com/emarref "emarref (75 commits)")[![erickskrauch](https://avatars.githubusercontent.com/u/4787256?v=4)](https://github.com/erickskrauch "erickskrauch (2 commits)")[![ftrrtf](https://avatars.githubusercontent.com/u/424723?v=4)](https://github.com/ftrrtf "ftrrtf (2 commits)")[![snikch](https://avatars.githubusercontent.com/u/115958?v=4)](https://github.com/snikch "snikch (1 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/emarref-jwt/health.svg) ``` [![Health](https://phpackages.com/badges/emarref-jwt/health.svg)](https://phpackages.com/packages/emarref-jwt) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)