PHPackages                             firesphere/graphql-jwt - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. firesphere/graphql-jwt

ActiveSilverstripe-vendormodule[Authentication &amp; Authorization](/categories/authentication)

firesphere/graphql-jwt
======================

JWT Authentication for GraphQL

1.1.0(8y ago)196.5k↓92.2%25[9 issues](https://github.com/Firesphere/silverstripe-graphql-jwt/issues)[4 PRs](https://github.com/Firesphere/silverstripe-graphql-jwt/pulls)BSD-3-ClausePHPPHP &gt;=5.6CI failing

Since Jul 23Pushed 2y ago6 watchersCompare

[ Source](https://github.com/Firesphere/silverstripe-graphql-jwt)[ Packagist](https://packagist.org/packages/firesphere/graphql-jwt)[ RSS](/packages/firesphere-graphql-jwt/feed)WikiDiscussions master Synced today

READMEChangelog (10)Dependencies (7)Versions (15)Used By (0)

[![CircleCI](https://camo.githubusercontent.com/38c49b8dd331fab70606a6342049fb0f720c40412d48f42ba676262e3ed3a063/68747470733a2f2f636972636c6563692e636f6d2f67682f466972657370686572652f73696c7665727374726970652d6772617068716c2d6a77742f747265652f6d61737465722e7376673f7374796c653d737667)](https://circleci.com/gh/Firesphere/silverstripe-graphql-jwt/tree/master)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/bdc3dffa51adcc678349bd4938f04051a6d3949f9f42c22a92d6dbb0d5440b86/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f466972657370686572652f73696c7665727374726970652d6772617068716c2d6a77742f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/Firesphere/silverstripe-graphql-jwt/?branch=master)[![codecov](https://camo.githubusercontent.com/608faf151b3727e37b9b6e436c86cfe0112bce1916d1855fdc6d257988ed158c/68747470733a2f2f636f6465636f762e696f2f67682f466972657370686572652f73696c7665727374726970652d6772617068716c2d6a77742f6272616e63682f6d61737465722f67726170682f62616467652e737667)](https://codecov.io/gh/Firesphere/silverstripe-graphql-jwt)

License
=======

[](#license)

[GPL v3 or later](LICENSE.md)

GraphQL JSON Web Token authenticator
====================================

[](#graphql-json-web-token-authenticator)

This module provides a JWT-interface for creating JSON Web Tokens for authentication.

Installation
------------

[](#installation)

```
composer require firesphere/graphql-jwt

```

The default config is available in `_config\config.yml`.

In order to securely process and store data via JWT, you need to set a secret key in your `.env` file:

```
JWT_SIGNER_KEY="[your secret key]"
```

A quick way to generate a secure random value value for `JWT_SIGNER_KEY` is through a PHP CLI command:

```
php -r 'echo substr(base64_encode(random_bytes(64)), 0, 64) . "\n";'

```

You can also use public/private key files.

```
JWT_SIGNER_KEY="./path/to/private.key"
JWT_PUBLIC_KEY="./path/to/public.key"
```

Note: Relative paths will be relative to your BASE\_PATH (prefixed with `./`)

Currently, only RSA keys are supported. ECDSA is not supported. The keys in the test-folder are generated by an online RSA key generator.

The signer key [for HMAC can be of any length (keys longer than B bytes are first hashed using H). However, less than L bytes is strongly discouraged as it would decrease the security strength of the function.](https://tools.ietf.org/html/rfc2104#section-3). Thus, for SHA-256 the signer key should be between 16 and 64 bytes in length.

**The keys in `tests/keys` should not be trusted!**

Configuration
-------------

[](#configuration)

Since admin/graphql is reserved exclusively for CMS graphql access, it will be necessary for you to register a custom schema for your front-end application, and apply the provided queries and mutations to that.

For example, given you've decided to create a schema named `frontend` at the url `/api`

```
---
Name: my-graphql-schema
---
SilverStripe\GraphQL\Manager:
  schemas:
    frontend:
      types:
        MemberToken: 'Firesphere\GraphQLJWT\Types\MemberTokenTypeCreator'
        Member: 'Firesphere\GraphQLJWT\Types\MemberTypeCreator'
      mutations:
        createToken: 'Firesphere\GraphQLJWT\Mutations\CreateTokenMutationCreator'
        refreshToken: 'Firesphere\GraphQLJWT\Mutations\RefreshTokenMutationCreator'
      queries:
        validateToken: 'Firesphere\GraphQLJWT\Queries\ValidateTokenQueryCreator'
---
Name: my-graphql-injections
---
SilverStripe\Core\Injector\Injector:
  SilverStripe\GraphQL\Manager.frontend:
    class: SilverStripe\GraphQL\Manager
    constructor:
      identifier: frontend
  SilverStripe\GraphQL\Controller.frontend:
    class: SilverStripe\GraphQL\Controller
    constructor:
      manager: '%$SilverStripe\GraphQL\Manager.frontend'
---
Name: my-graphql-routes
---
SilverStripe\Control\Director:
  rules:
    api:
      Controller: '%$SilverStripe\GraphQL\Controller.frontend'
      Stage: Live
```

Log in
------

[](#log-in)

To generate a JWT token, send a login request to the `createToken` mutator:

```
mutation {
  createToken(Email: "admin", Password: "password") {
    Token, // ...request or you won't have a token
    ID,
    FirstName,
    Surname
  }
}
```

Validate token
--------------

[](#validate-token)

If you have an app and want to validate your token, you can address the `validateToken` method:

```
query validateToken {
  validateToken {
    Valid
    Message
    Code
  }
}
```

It only needs to call the endpoint. The token should be in the header, via your middleware for the request, as a `Authorization: Bearer [token]`. If the token is valid, you'll get a response like this:

```
{
  "data": {
    "validateToken": {
      "Valid": true,
      "Message": "",
      "Code": 200,
      "__typename": "ValidateToken"
    }
  }
}
```

If the token is invalid, `Valid` will be `false`.

Anonymous tokens
----------------

[](#anonymous-tokens)

Although not advised, it's possible to use anonymous tokens. When using an anonymous authenticator, SilverStripe will generate a default database record in the Members table with the Email `anonymous` and no permissions by default.

To enable anonymous tokens, add the following to your configuration `.yml`:

```
SilverStripe\Core\Injector\Injector:
  Firesphere\GraphQLJWT\Mutations\CreateTokenMutationCreator:
    properties:
      CustomAuthenticators:
        - Firesphere\GraphQLJWT\Authentication\AnonymousUserAuthenticator
```

You can then create an anonymous login with the below query.

```
mutation {
  createToken(Email: "anonymous") {
    Token
  }
}
```

Note: If the default anonymous authenticator doesn't suit your purposes, you can inject any other core SilverStripe authenticator into `CustomAuthenticators`.

Warning: The default `AnonymousUserAuthenticator` is not appropriate for general usage, so don't register this under the core `Security` class!

Enable CORS
-----------

[](#enable-cors)

To use JWT, CORS needs to be enabled. This can be done by adding the following to your configuration `.yml`:

```
SilverStripe\GraphQL\Controller:
  cors:
    Enabled: true
    Allow-Origin: "*"
    Allow-Headers: "Authorization, Content-Type"
    Allow-Methods: "GET, POST, OPTIONS"
    Max-Age: 86400 # ...in seconds
```

Usage
-----

[](#usage)

After logging in, you will receive a token which can be used for further requests. This token should be in the header of the request with the `Bearer` as signature:

```
Authorization: Bearer [token]

```

Prefix
------

[](#prefix)

A prefix can be optionally associated with the unique identifier of a JWT record. This can make it easier to distinguish JWT records created in different contexts, e.g. on a specific domain or environment type. It is not required for security purposes.

```
JWT_PREFIX="[your secret prefix]"

```

Security
--------

[](#security)

Currently, the default method for encrypting the JWT is with SHA256. JWT is signed with multiple factors; including the host, audience (app/remote user), a secret key and a timeframe within which the token is valid. Only one device can be logged in at the time.

Supported services
------------------

[](#supported-services)

By default, JWT only supports login. As it's tokens can not be disabled, nor used for password changes or resets.

Caveats
-------

[](#caveats)

When using php under CGI/FastCGI mode with Apache, the `Authorization` header might not work correctly, see [issue#15](https://github.com/Firesphere/silverstripe-graphql-jwt/issues/15). The workaround is simple, just add `SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0` in your `.htaccess` file ([refer](http://php.net/manual/en/features.http-auth.php#114877)).

Examples
--------

[](#examples)

A Postman collection can be found in the `extra` folder.

Cow?
====

[](#cow)

Of course!

```
               /( ,,,,, )\
              _\,;;;;;;;,/_
           .-"; ;;;;;;;;; ;"-.
           '.__/`_ / \ _`\__.'
              | (')| |(') |
              | .--' '--. |
              |/ o     o \|
              |           |
             / \ _..=.._ / \
            /:. '._____.'   \
           ;::'    / \      .;
           |     _|_ _|_   ::|
         .-|     '==o=='    '|-.
        /  |  . /       \    |  \
        |  | ::|         |   | .|
        |  (  ')         (.  )::|
        |: |   |;  U U  ;|:: | `|
        |' |   | \ U U / |'  |  |
        ##V|   |_/`"""`\_|   |V##
           ##V##         ##V##

```

###  Health Score

35

—

LowBetter than 77% of packages

Maintenance11

Infrequent updates — may be unmaintained

Popularity31

Limited adoption so far

Community23

Small or concentrated contributor base

Maturity66

Established project with proven stability

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~111 days

Recently: every ~278 days

Total

12

Last Release

2041d ago

Major Versions

0.2.0 → 1.0.02017-08-13

1.1.0 → 2.0.0-beta12019-01-04

PHP version history (2 changes)0.1.0PHP &gt;=5.6

2.0.0-beta2PHP &gt;=7.1

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/680570?v=4)[Simon Erkelens](/maintainers/Firesphere)[@Firesphere](https://github.com/Firesphere)

![](https://www.gravatar.com/avatar/f6a363b2d85dc3e82e73cc9e3a57fc15132920b166c5938ad63a54029b9f94b9?d=identicon)[tractorcow](/maintainers/tractorcow)

---

Top Contributors

[![tractorcow](https://avatars.githubusercontent.com/u/936064?v=4)](https://github.com/tractorcow "tractorcow (20 commits)")[![Firesphere](https://avatars.githubusercontent.com/u/680570?v=4)](https://github.com/Firesphere "Firesphere (18 commits)")[![chillu](https://avatars.githubusercontent.com/u/111025?v=4)](https://github.com/chillu "chillu (2 commits)")[![senorgeno](https://avatars.githubusercontent.com/u/728552?v=4)](https://github.com/senorgeno "senorgeno (1 commits)")[![assertchris](https://avatars.githubusercontent.com/u/200609?v=4)](https://github.com/assertchris "assertchris (1 commits)")[![zzdjk6](https://avatars.githubusercontent.com/u/3908516?v=4)](https://github.com/zzdjk6 "zzdjk6 (1 commits)")[![ec8or](https://avatars.githubusercontent.com/u/1678184?v=4)](https://github.com/ec8or "ec8or (1 commits)")[![elliot-sawyer](https://avatars.githubusercontent.com/u/354793?v=4)](https://github.com/elliot-sawyer "elliot-sawyer (1 commits)")

---

Tags

anonymous-tokensauthenticationauthentication-middlewarecorsgraphqlhacktoberfestheadlessjwtrsa-keysecuritysigner-key

###  Code Quality

TestsPHPUnit

Code StylePHP CS Fixer

### Embed Badge

![Health badge](/badges/firesphere-graphql-jwt/health.svg)

```
[![Health](https://phpackages.com/badges/firesphere-graphql-jwt/health.svg)](https://phpackages.com/packages/firesphere-graphql-jwt)
```

###  Alternatives

[tymon/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

11.7k51.8M371](/packages/tymon-jwt-auth)[league/oauth2-server

A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.

6.7k147.0M289](/packages/league-oauth2-server)[php-open-source-saver/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

84611.1M63](/packages/php-open-source-saver-jwt-auth)[scheb/2fa

Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install)

585684.2k1](/packages/scheb-2fa)[jeremy379/laravel-openid-connect

OpenID Connect support to the PHP League's OAuth2 Server. Compatible with Laravel Passport.

59437.0k9](/packages/jeremy379-laravel-openid-connect)[scheb/2fa-trusted-device

Extends scheb/2fa-bundle with trusted devices support

365.8M34](/packages/scheb-2fa-trusted-device)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
