PHPackages ignislabs/hotjot - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. ignislabs/hotjot ActiveLibrary[Authentication & Authorization](/categories/authentication) ignislabs/hotjot ================ No-frills JWT library 1.0.0(8y ago)19MITPHPPHP >=7.1 Since Oct 25Pushed 8y ago1 watchersCompare [ Source](https://github.com/IgnisLabs/HotJot)[ Packagist](https://packagist.org/packages/ignislabs/hotjot)[ RSS](/packages/ignislabs-hotjot/feed)WikiDiscussions master Synced 3d ago READMEChangelog (1)Dependencies (1)Versions (3)Used By (0) HotJot ====== [](#hotjot) [![Build Status](https://camo.githubusercontent.com/010f8a65faf8e55a5e8c20e9dc351930d585362d792da3d225e7601ee163389d/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f49676e69734c6162732f486f744a6f742e7376673f7374796c653d666c61742d737175617265)](https://travis-ci.org/IgnisLabs/HotJot)[![Version](https://camo.githubusercontent.com/bef750e0c335cf39a5104998c11d417f7587d6af90f7df9ddb846463865ddd74/687474703a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f49676e69734c6162732f486f744a6f742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/IgnisLabs/HotJot)[![License](https://camo.githubusercontent.com/ec26eb139e1969f57757dbbf7d8d33ac26b990a9a8e16f21a8440040617b96cd/687474703a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f49676e69734c6162732f486f744a6f742e7376673f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/ec26eb139e1969f57757dbbf7d8d33ac26b990a9a8e16f21a8440040617b96cd/687474703a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f49676e69734c6162732f486f744a6f742e7376673f7374796c653d666c61742d737175617265) No-frills JWT & JWS library. Installation ------------ [](#installation) Install with composer: ``` $ composer require ignislabs/hotjot ``` ### Requirements [](#requirements) - PHP >= 7.1 - OpenSSL extension - JSON extension Usage ----- [](#usage) Creating, verifying and validating tokens is really simple, let's take a quick look at these operations before we dive to each component in more detail. **Create a token:** ``` $token = $factory->create($claims, $headers); ``` **Verify a token:** ``` $signer->verify($token); ``` **Validate a token:** ``` $validator->validate($token); ``` Let's take a look at the signers first, as these are the most important part of the library. You need a signer to create signed tokens and verify them. ### Signers [](#signers) You can choose between `HMAC`, `RSA` or `None` signers. #### `HMAC` Signers [](#hmac-signers) HMAC are the simplest ones. It's a *symmetric* algorithm, which means you only have a single private encryption key. You should try to make this as cryptographically secure and random as possible. You have 3 different options: `HS256`, `HS384`, and `HS512`. All three require only an encryption key as a constructor parameter. ``` $signer = new \IgnisLabs\HotJot\Signer\HMAC\HS512('encryption key'); ``` #### `RSA` Signers [](#rsa-signers) RSA is *asymmetric*, which means you'll need to create a key pair: ``` # create a strong, password protected private key $ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out private.pem -pass stdin # get public key $ openssl rsa -pubout -in private.pem -out public.pem ``` If you don't want to generate a password protected key, just omit `-pass stdin`. > You can, if you need/want to, make your public key publicly available so anyone can use it to verify if the token is really signed by you (that's one of the purposes behind public-key cryptography). Again, you have 3 different options: `RS256`, `RS384`, and `RS512`. All three require both private and public keys, and the passphrase if your private key is protected. ``` $privateKey = file_get_contents('/path/to/private.pem'); $publicKey = file_get_contents('/path/to/public.pem'); $signer = new \IgnisLabs\HotJot\Signer\RSA\RS512($privateKey, $publicKey, 'key passphrase (if any)'); ``` The *private key* is used for signing and the *public key* for verification. #### `None` Signer [](#none-signer) Using the `None` signer will result in an unsecured token with no signature, and verification with this signer will always fail, as unsecured tokens are not signed. > **Warning!** Even though you technically can create unsecured tokens, you should be really careful and know very well what you're doing. This signer doesn't require any parameters, as it can't sign or verify. It will always return an empty string as a signature, and verification will always fail. ``` $signer = new \IgnisLabs\HotJot\Signer\None; ``` ### Token Creation [](#token-creation) Now that you know about signers, let's see how can you create tokens. To create tokens you'll need the `Factory` and a `Signer`, and you'll get a `Token` object with a few handy methods. #### Creating Secured Tokens [](#creating-secured-tokens) To crete secured tokens, use any signer except `None`. ``` $signer = new \IgnisLabs\HotJot\Signer\HMAC\HS512('encryption key'); $factory = new \IgnisLabs\HotJot\Factory($signer); $token = $factory->create([ 'iss' => 'http://api.example.com', 'aud' => 'http://www.example.com', 'jti' => bin2hex(random_bytes(16)), 'exp' => (new DateTime('+10 days'))->getTimestamp(), // etc... ]); $token->getHeader('alg'); // -> 'HS512' $token->getClaim('iss'); // -> 'http://api.example.com' $token->getClaim('exp'); // -> DateTime object ``` As you can see, `exp` returns a `DateTime` object, and so will `iat` and `nbf`. If you need to use a different signer for some reason, you can do it like this: ``` $newFactory = $factory->setSigner($anotherSigner); ``` The factory is immutable, so when you do this, the current factory instance is not modified, instead a new instance is returned with the new signer. This is useful when you want to temporarily change the signature for a special use case. #### Creating Unsecured Tokens [](#creating-unsecured-tokens) To create unsecured tokens you need to use the `None` signer. > **Warning!** Even though you technically can create unsecured tokens, you should be really careful and know very well what you're doing. (Yes I know I'm repeating this :P) ``` $signer = new \IgnisLabs\HotJot\Signer\None; $factory = new \IgnisLabs\HotJot\Factory($signer); $token = $factory->create([ 'iss' => 'http://api.example.com', 'aud' => 'http://www.example.com', 'jti' => bin2hex(random_bytes(16)), 'exp' => (new DateTime('+10 days'))->getTimestamp(), // etc... ]); $token->getClaim('alg'); // -> 'none' $token->getSignature(); // -> null ``` ### Parsing [](#parsing) You can parse encoded token strings with the parser. How you obtain the encoded token is out of the scope of the library (authorization header, query parameter, etc). When you parse an encoded token, you'll get back a `Token` object, same one as with the `Factory`. ``` $parser = new \IgnisLabs\HotJot\Parser; $token = $parser->parse($encodedTokenString); ``` The parser **does not verify or validate the token**, as long as it can parse it and it's rfc-compliant, the parser will succeed and return the token object. You'll need to use a Signer and the Validator to verify and validate the token. If the parser does fail it will throw an `InvalidTokenException` with the appropriate message. ### Signature Verification [](#signature-verification) This is a critical step when receiving tokens from the outside world. This library does not automatically set any algorithm based on the `alg` header, and you shouldn't do this either. By following this simple rule you will avoid [known vulnerabilities](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). This library makes it easy not to fall for this exploits by simply requiring you to instantiate the desired signer yourself, and making a hard association between the keys and the signers by passing keys on instantiation rather than on verification, leaving less room for error. All signers will first check the token's `alg` header and check if it matches the signer's algorithm. If the algorithms don't match it will throw a `SignatureVerificationException` exception. ``` $signer = new \IgnisLabs\HotJot\Signer\RSA\RS512($privateKey, $publicKey, 'passphrase'); $signer->verify($token); // -> boolean — $token most likely obtained through the parser ``` ### Validation [](#validation) Once you have a verified token, you can start to validate it using the `Validator`. The `Validator` is a really simple class that takes a bunch of token validators and uses them to validate a token. The validators don't return eny values, but throw exceptions on failure. This library already comes with some useful ones, but you can add as many as you need. ``` use IgnisLabs\HotJot\Validators as 🕵; $validator = new \IgnisLabs\HotJot\Validator( new 🕵\IssuedAtValidator, // fails if token used before `iat` new 🕵\NotBeforeValidator, // fails if token used before `nbf` new 🕵\ExpiresAtValidator // fails if token is used after `exp` ); $validator->validate($token); ``` If you want to make any of these validators be required, you can instantiate them like this: ``` use IgnisLabs\HotJot\Validators as 🕵; $validator = new \IgnisLabs\HotJot\Validator( new 🕵\IssuedAtValidator(true), new 🕵\NotBeforeValidator(true), new 🕵\ExpiresAtValidator(true) ); $validator->validate($token); ``` You can create your own validators, you just need them to implement the `IgnisLabs\HotJot\Contracts\TokenValidator` contract. You also have the `\IgnisLabs\HotJot\Validators\ClaimRequiredTrait` to save you some time when creating required validators. Algorithms ---------- [](#algorithms) ✔️ none ✔️ HS256 ✔️ HS384 ✔️ HS512 ✔️ RS256 ✔️ RS384 ✔️ RS512 🔲 ES256 🔲 ES384 🔲 ES512 ### Health Score 26 — LowBetter than 43% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity6 Limited adoption so far Community7 Small or concentrated contributor base Maturity59 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~28 days Total 2 Last Release 3095d ago Major Versions 0.1.0 → 1.0.02017-11-22 ### Community Maintainers ![](https://www.gravatar.com/avatar/019c54e641913619a9ac66163a02515fa8187062c7128d877903cbc4acfd5391?d=identicon)[Cosmicist](/maintainers/Cosmicist) --- Top Contributors [![Cosmicist](https://avatars.githubusercontent.com/u/1039580?v=4)](https://github.com/Cosmicist "Cosmicist (26 commits)") ### Embed Badge ![Health badge](/badges/ignislabs-hotjot/health.svg) ``` [![Health](https://phpackages.com/badges/ignislabs-hotjot/health.svg)](https://phpackages.com/packages/ignislabs-hotjot) ``` ### Alternatives [namshi/jose JSON Object Signing and Encryption library for PHP. 1.8k99.6M101](/packages/namshi-jose)[league/oauth1-client OAuth 1.0 Client Library 99698.8M106](/packages/league-oauth1-client)[bezhansalleh/filament-shield Filament support for `spatie/laravel-permission`. 2.8k2.9M88](/packages/bezhansalleh-filament-shield)[gesdinet/jwt-refresh-token-bundle Implements a refresh token system over Json Web Tokens in Symfony 70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[league/oauth2-google Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client 41721.2M118](/packages/league-oauth2-google)[illuminate/auth The Illuminate Auth package. 9327.3M1.0k](/packages/illuminate-auth) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)