PHPackages ingenerator/tokenista - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. ingenerator/tokenista ActiveLibrary[Authentication & Authorization](/categories/authentication) ingenerator/tokenista ===================== Simple signed and expiring token generator and validator - for password reset, CSRF, authentication, whatever v1.8.0(10mo ago)1492.1k↓36.4%5[1 issues](https://github.com/ingenerator/tokenista/issues)1BSD-3-ClausePHPPHP ~8.2.0 || ~8.3.0 || ~8.4.0CI passing Since Mar 12Pushed 10mo ago4 watchersCompare [ Source](https://github.com/ingenerator/tokenista)[ Packagist](https://packagist.org/packages/ingenerator/tokenista)[ Docs](https://github.com/ingenerator/tokenista)[ RSS](/packages/ingenerator-tokenista/feed)WikiDiscussions 1.x Synced 1mo ago READMEChangelog (10)Dependencies (2)Versions (14)Used By (1) Tokenista - generate and validate signed tokens =============================================== [](#tokenista---generate-and-validate-signed-tokens) - [![Master Build Status](https://camo.githubusercontent.com/453d9e1323461d0a7043ef3928d404fc05bbc1c04b1164120e71b8788f3a97e4/68747470733a2f2f7472617669732d63692e6f72672f696e67656e657261746f722f746f6b656e697374612e706e673f6272616e63683d6d6173746572)](https://travis-ci.org/ingenerator/tokenista) Tokenista is a lightweight library for generating and validating signed tokens that can be used for password reset links, authentication, CSRF or anything else you may require. It aims to be secure (though you should always review all security related code) and to have minimum external dependencies. Installation ------------ [](#installation) Add tokenista to your composer.json and run `composer update` to install it. ``` { "require": { "ingenerator/tokenista": "^1.4" } } ``` Basic Usage ----------- [](#basic-usage) ``` $secret = 'some-constant-secret-value'; $tokenista = new \Ingenerator\Tokenista($secret, array('lifetime' => 3600)); // Generate with default lifetime from constructor options $token = $tokenista->generate(); // Overall check if token is valid if ($tokenista->isValid($token)) { // Do whatever } // Or for more control use: $tokenista->isExpired($token); $tokenista->isTampered($token); ``` Tokenista generates tokens as a single string of the form {random}-{expirytime}-{signature}, base64 encoded so suitable for inclusion in most places. Verifying additional values --------------------------- [](#verifying-additional-values) You may want to use Tokenista's signing mechanism to verify that some additional data has not been tampered with. For example, you could use this to include email address or other confirmation information in a URL rather than having to store a record of the mapping between token and user server side. ``` $token = $tokenista->generate(3600, ['user_id' => 9123]); // Then, later: if ($tokenista->isValid($_GET['token'], ['user_id' => $_GET['user_id']]) { // You can now trust user_id, even if it came through the URL, because it matches the value you originally signed // for this token. } ``` Rotating secrets ---------------- [](#rotating-secrets) It's good practice to occasionally rotate secrets - but without invalidating signatures that haven't yet expired. This is easily done - add an `old_secrets` config option with any previous secrets that should still be valid. Tokenista will start using the new secret to produce new tokens while still accepting tokens signed with an older value. Once your maximum token expiry liftime has passed you can then remove the old secret from your list and Tokenista will stop accepting it. Testing and developing ---------------------- [](#testing-and-developing) tokenista has a full suite of [PHPUnit](http://phpunit.de) unit tests - run them with `./vendor/bin/phpunit`. Contributions will only be accepted if they are accompanied by well structured unit tests. Installing with composer should get you everything you need to work on the project. License ------- [](#license) tokenista is copyright 2014 inGenerator Ltd and released under the [BSD license](LICENSE). ### Health Score 53 — FairBetter than 97% of packages Maintenance51 Moderate activity, may be stable Popularity38 Limited adoption so far Community17 Small or concentrated contributor base Maturity88 Battle-tested with a long release history Bus Factor1 Top contributor holds 50% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~317 days Recently: every ~246 days Total 14 Last Release 325d ago Major Versions v0.1.0 → v1.0.02015-05-11 PHP version history (8 changes)v0.1.0PHP >=5.3.3 v1.1.0PHP >=5.5 v1.2.0PHP ^7.2 v1.4.0PHP ^7.4 v1.5.0PHP ^7.4 || ~8.0.0 v1.6.0PHP ~8.0.0 || ~8.1.0 || ~8.2.0 v1.7.0PHP ~8.1.0 || ~8.2.0 || ~8.3.0 v1.8.0PHP ~8.2.0 || ~8.3.0 || ~8.4.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/f6ebcc608a86cec9a3ce7a4932994e2b89fabbfcdde69aff43e8139f34e07a5e?d=identicon)[acoulton](/maintainers/acoulton) --- Top Contributors [![craig410](https://avatars.githubusercontent.com/u/1156379?v=4)](https://github.com/craig410 "craig410 (25 commits)")[![acoulton](https://avatars.githubusercontent.com/u/416566?v=4)](https://github.com/acoulton "acoulton (23 commits)")[![peter279k](https://avatars.githubusercontent.com/u/9021747?v=4)](https://github.com/peter279k "peter279k (2 commits)") --- Tags authtokencsrf ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/ingenerator-tokenista/health.svg) ``` [![Health](https://phpackages.com/badges/ingenerator-tokenista/health.svg)](https://phpackages.com/packages/ingenerator-tokenista) ``` ### Alternatives [kreait/firebase-tokens A library to work with Firebase tokens 24040.8M14](/packages/kreait-firebase-tokens)[adhocore/jwt Ultra lightweight JSON web token (JWT) library for PHP5.5+. 3031.6M15](/packages/adhocore-jwt)[dyorg/slim-token-authentication Slim 3.0+ Token Authentication Middleware 78106.5k](/packages/dyorg-slim-token-authentication)[matricali/akamai-token-auth This library provides necessary logic to generate Akamai edge authorization token and signed URL. 111.2M](/packages/matricali-akamai-token-auth)[erjanmx/laravel-api-auth Dead simple Laravel api authorization middleware 2024.5k](/packages/erjanmx-laravel-api-auth)[omnilight/yii2-tokens Provides classes for token validations for Yii2 framework 105.0k](/packages/omnilight-yii2-tokens) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)