PHPackages                             facile-it/php-jose-verifier - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. facile-it/php-jose-verifier

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

facile-it/php-jose-verifier
===========================

JWT Token Verifier. A JWT verifier for access tokens, id tokens and others

1.0.0(3w ago)5822.7k↓32.8%63MITPHPPHP ^8.2CI passing

Since Apr 8Pushed 5d ago3 watchersCompare

[ Source](https://github.com/facile-it/php-jose-verifier)[ Packagist](https://packagist.org/packages/facile-it/php-jose-verifier)[ RSS](/packages/facile-it-php-jose-verifier/feed)WikiDiscussions master Synced 3d ago

READMEChangelog (10)Dependencies (33)Versions (27)Used By (3)

Facile JOSE Verifier
====================

[](#facile-jose-verifier)

A library to validate JWT tokens.

[![Build Status](https://github.com/facile-it/php-jose-verifier/workflows/Continuous%20Integration/badge.svg?branch=master)](https://github.com/facile-it/php-jose-verifier/actions)[![codecov](https://camo.githubusercontent.com/ea5b162f729f627d722bb717953863005f0dffd4ebb7b3a2e8c5d93de9930fa5/68747470733a2f2f636f6465636f762e696f2f67682f666163696c652d69742f7068702d6a6f73652d76657269666965722f6272616e63682f6d61737465722f67726170682f62616467652e7376673f746f6b656e3d31524853304e5744324c)](https://codecov.io/gh/facile-it/php-jose-verifier)[![Latest Stable Version](https://camo.githubusercontent.com/a03e8c29b8b6ade58cd7110e41850b1279496070577f53c655af8293b6ea6671/68747470733a2f2f706f7365722e707567782e6f72672f666163696c652d69742f7068702d6a6f73652d76657269666965722f762f737461626c65)](https://packagist.org/packages/facile-it/php-jose-verifier)[![Total Downloads](https://camo.githubusercontent.com/ee749c3081eb926c0a5c59a33cd18e048f2804a11edf7e2fef0a33de5435f20b/68747470733a2f2f706f7365722e707567782e6f72672f666163696c652d69742f7068702d6a6f73652d76657269666965722f646f776e6c6f616473)](https://packagist.org/packages/facile-it/php-jose-verifier)[![Latest Unstable Version](https://camo.githubusercontent.com/14a24ca71fc1c83619d98b53e3de3d24cb4fcd28e8eebf6a45c28db73c339d03/68747470733a2f2f706f7365722e707567782e6f72672f666163696c652d69742f7068702d6a6f73652d76657269666965722f762f756e737461626c65)](https://packagist.org/packages/facile-it/php-jose-verifier)[![License](https://camo.githubusercontent.com/6b324478fc8013d85c7fa012008fd64f3cb0423bb6d19e0842d6ff0913df6b81/68747470733a2f2f706f7365722e707567782e6f72672f666163696c652d69742f7068702d6a6f73652d76657269666965722f6c6963656e7365)](https://packagist.org/packages/facile-it/php-jose-verifier)

How To Use
----------

[](#how-to-use)

The suggested and simply way to use it (specially for OAuth2 and OpenID tokens) is using builders.

For better performance you should install `ext-gmp`.

Create verifiers from Issuer and Client Metadata
------------------------------------------------

[](#create-verifiers-from-issuer-and-client-metadata)

Usually an OpenID provider provides an openid-configuration (`/.well-known/openid-configuration`).

You can fetch the configuration and use it with builders, but usually only `issuer` and `jwks_uri` are necessary.

```
// Fetched issuer metadata:
$issuerMetadata = [
    'issuer' => 'https://issuer-name', // The Issuer name
    'jwks_uri' => 'https://jwks_uri', // The Issuer's JWK Set URI
];
```

The remote `jwks_uri` is the remote endpoint where the issuer public keys are exposed.

You also need the Client Metadata, usually the same provided from the [OpenID Dynamic Registration](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)but **you can just provide the `client_id`** and optionally the `client_secret` (in case the tokens are signed with symmetric key using the client secret).

Verfiers and decrypters are automatically configured using the [OpenID Dynamic Registration](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)client metadata.

If you use encryption, you should inject your JWK Set in the configuration `jwks` keys.

```
// Client Metadata (complete configuration example)
$clientMetadata = [
    'client_id' => 'my-client-id',
    'client_secret' => 'my-client-secret',
    'id_token_signed_response_alg' => 'RS256',
    'id_token_encrypted_response_alg' => 'RSA-OAEP',
    'id_token_encrypted_response_enc' => 'A128GCM',
    'userinfo_signed_response_alg' => 'RS256',
    'userinfo_encrypted_response_alg' => 'RSA-OAEP',
    'userinfo_encrypted_response_enc' => 'A128GCM',
    'jwks' => [
        'keys' => [
            // client JWKs
        ],
    ],
];
```

```
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder;
use Facile\JoseVerifier\Exception\InvalidTokenExceptionInterface;

$builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata);

$verifier = $builder->build();
try {
    $payload = $verifier->verify($jwt);
} catch (InvalidTokenExceptionInterface $e) {
    // your logic here
}
```

The verifier will decrypt and validate the token for you. The result is the token payload.

Using cache to fetch remote JWK Set
-----------------------------------

[](#using-cache-to-fetch-remote-jwk-set)

Obviously you should not fetch the remote JWK Set on every request. In order to use cache you can inject a partially configured `JwksProviderBuilder`.

```
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder;use Facile\JoseVerifier\JWK\JwksProviderBuilder;

// Use your PSR SimpleCache implementation
$cache = $container->get(\Psr\SimpleCache\CacheInterface::class);

$jwksProviderBuilder = (new JwksProviderBuilder())
    ->withCache($cache)
    ->withCacheTtl(86400); // 86400 is the default value

$builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata)
    ->withJwksProviderBuilder($jwksProviderBuilder);

$verifier = $builder->build();
try {
    $payload = $verifier->verify($jwt);
} catch (InvalidTokenExceptionInterface $e) {
    // your logic here
}
```

Provided verifiers
------------------

[](#provided-verifiers)

### Access Token Verifier

[](#access-token-verifier)

The AccessTokenVerifier will validate a JWT access token.

```
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder;

$builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata);

$verifier = $builder->build();
try {
    $payload = $verifier->verify($jwt);
} catch (InvalidTokenExceptionInterface $e) {
    // your logic here
}
```

### ID Token Verifier

[](#id-token-verifier)

The IdTokenVerifier will validate an OpenID `id_token`.

Create the verifier:

```
use Facile\JoseVerifier\Builder\IdTokenVerifierBuilder;

$builder = IdTokenVerifierBuilder::create($issuerMetadata, $clientMetadata);

$verifier = $builder->build();
```

In order to validate an `id_token` you must provide some other parameters to the verifier (note that all verifiers are immutable).

```
use Facile\JoseVerifier\IdTokenVerifierInterface;

/** @var IdTokenVerifierInterface $verifier */

// Provide the `state` used in the Code Grant Flow (this should be provided id the `id_token` contains the `s_hash` claim)
$verifier = $verifier->withState($state);

// Optionally provide these parameters to validate the correct hash values:

$verifier = $verifier
    ->withAccessToken($accessToken) // Provide the `access_token` used in the Code Grant Flow
    ->withCode($code) // Provide the `code` used in the Code Grant Flow

try {
    $payload = $verifier->verify($jwt);
} catch (InvalidTokenExceptionInterface $e) {
    // your logic here
}
```

### UserInfo Verifier

[](#userinfo-verifier)

When UserInfo returns a signed (and maybe encrypted) JWT as response content of the userinfo endpoint you can use this verifier to decrypt, verify, and obtain user info claims.

```
use Facile\JoseVerifier\Builder\UserInfoVerifierBuilder;

$builder = UserInfoVerifierBuilder::create($issuerMetadata, $clientMetadata);

$verifier = $builder->build();
try {
    $payload = $verifier->verify($jwt);
} catch (InvalidTokenExceptionInterface $e) {
    // your logic here
}
```

###  Health Score

65

—

FairBetter than 99% of packages

Maintenance97

Actively maintained with recent releases

Popularity45

Moderate usage in the ecosystem

Community22

Small or concentrated contributor base

Maturity79

Established project with proven stability

 Bus Factor1

Top contributor holds 73.2% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~107 days

Recently: every ~193 days

Total

22

Last Release

22d ago

Major Versions

0.5.2 → 1.0.02026-06-12

PHP version history (5 changes)0.1.0PHP ^7.2

0.3.0-beta1PHP ^7.3 || ^8.0

0.3.0-beta2PHP ^7.2 || ^8.0

0.5.0-beta1PHP ^8.1

1.0.0PHP ^8.2

### Community

Maintainers

![](https://www.gravatar.com/avatar/a6fa237583695920bbe285e738810728bfd7981ab066d39ffe852e09ae1fd30e?d=identicon)[thomasvargiu](/maintainers/thomasvargiu)

---

Top Contributors

[![thomasvargiu](https://avatars.githubusercontent.com/u/732012?v=4)](https://github.com/thomasvargiu "thomasvargiu (82 commits)")[![Jean85](https://avatars.githubusercontent.com/u/6729988?v=4)](https://github.com/Jean85 "Jean85 (17 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (11 commits)")[![angelomelonas](https://avatars.githubusercontent.com/u/12830426?v=4)](https://github.com/angelomelonas "angelomelonas (1 commits)")[![MikeGomibo](https://avatars.githubusercontent.com/u/217560296?v=4)](https://github.com/MikeGomibo "MikeGomibo (1 commits)")

---

Tags

jwtJWSJWEJOSEJWKtokenoauth2validateOpenIdaccess tokenJWKSverifier

###  Code Quality

TestsPHPUnit

Static AnalysisPsalm, Rector

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/facile-it-php-jose-verifier/health.svg)

```
[![Health](https://phpackages.com/badges/facile-it-php-jose-verifier/health.svg)](https://phpackages.com/packages/facile-it-php-jose-verifier)
```

###  Alternatives

[flow-php/flow

PHP ETL - Extract Transform Load - Data processing framework

85036.3k](/packages/flow-php-flow)[symfony/symfony

The Symfony PHP framework

31.4k87.2M2.2k](/packages/symfony-symfony)[shopware/core

Shopware platform is the core for all Shopware ecommerce products.

585.6M572](/packages/shopware-core)[shopware/platform

The Shopware e-commerce core

3.4k1.5M3](/packages/shopware-platform)[tempest/framework

The PHP framework that gets out of your way.

2.2k34.4k15](/packages/tempest-framework)[sylius/sylius

E-Commerce platform for PHP, based on Symfony framework.

8.5k5.9M738](/packages/sylius-sylius)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
