PHPackages lindelius/php-jwt - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. lindelius/php-jwt Abandoned → [firebase/php-jwt](/?search=firebase%2Fphp-jwt)ArchivedLibrary[Authentication & Authorization](/categories/authentication) lindelius/php-jwt ================= Convenience library for working with JSON Web Tokens (JWT) in PHP 0.9.1(5y ago)3399.8k↓30.6%43Apache-2.0PHPPHP ^7.2||^8.0 Since Feb 28Pushed 4y ago4 watchersCompare [ Source](https://github.com/lindelius/php-jwt)[ Packagist](https://packagist.org/packages/lindelius/php-jwt)[ Docs](https://github.com/lindelius/php-jwt)[ RSS](/packages/lindelius-php-jwt/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (2)Versions (14)Used By (3) php-jwt ======= [](#php-jwt) [![CircleCI](https://camo.githubusercontent.com/12ed8a3356c89be0f1f2db3b1f0f1e31cb92d535e534103d571f2326fdff0af0/68747470733a2f2f636972636c6563692e636f6d2f67682f6c696e64656c6975732f7068702d6a77742e7376673f7374796c653d736869656c64)](https://circleci.com/gh/lindelius/php-jwt) A convenience library for working with JSON Web Tokens (JWT) in PHP. This library conforms to [RFC 7519](https://tools.ietf.org/html/rfc7519), with the exception of not allowing unsigned JWTs (the "none" algorithm), and has built-in support for the following claims: - The `aud` (audience) claim - [Section 4.1.3](https://tools.ietf.org/html/rfc7519#section-4.1.3) - The `exp` (expiration time) claim - [Section 4.1.4](https://tools.ietf.org/html/rfc7519#section-4.1.4) - The `iat` (issued at) claim - [Section 4.1.6](https://tools.ietf.org/html/rfc7519#section-4.1.6) - The `iss` (issuer) claim - [Section 4.1.1](https://tools.ietf.org/html/rfc7519#section-4.1.1) - The `nbf` (not before) claim - [Section 4.1.5](https://tools.ietf.org/html/rfc7519#section-4.1.5) Requirements ------------ [](#requirements) - PHP 7.2, or higher - OpenSSL PHP extension (for certain algorithms) Table of Contents ----------------- [](#table-of-contents) - [Installation](#installation) - [Usage](#usage) - [Algorithm Choices](#algorithm-choices) - [Leeway Time](#leeway-time) - [Multiple Encryption Keys](#multiple-encryption-keys) - [Benchmarking](#benchmarking) Installation ------------ [](#installation) If you are using Composer, you may install the latest version of this library by running the following command from your project's root folder: ``` composer require lindelius/php-jwt ``` You may also manually download the library by navigating to the "Releases" page and then expanding the "Assets" section of the latest release. Usage ----- [](#usage) **Step 1.** Extend the abstract `JWT` model and pick an algorithm. ``` use Lindelius\JWT\Algorithm\HMAC\HS256; use Lindelius\JWT\JWT; class MyJWT extends JWT { use HS256; } ``` **Step 2.** Start creating your JWTs :) ``` $jwt = MyJWT::create('HS256'); // Include whatever data is required by your use case $jwt->field = 'value'; $jwt->other = ['nested_field' => 'value']; // Let the JWT expire after 20 minutes (optional, but recommended) $jwt->exp = time() + (60 * 20); // Encode the JWT using a key suitable for the chosen algorithm $encodedJwtHash = $jwt->encode('YOUR_HMAC_KEY'); ``` **Step 3.** Decode and verify the JWTs that are sent back. ``` $decodedJwt = MyJWT::decode($encodedJwtHash); // The data is available immediately after decode $field = $decodedJwt->field; $other = $decodedJwt->other; // HOWEVER, do NOT forget to verify the data before trusting it $decodedJwt->verify('THE_SAME_HMAC_KEY'); ``` If you are making use of any of the claims with built-in support (`aud` or `iss`), you may verify them by passing the expected values to the `verify()` method (as seen below). ``` $decodedJwt->verify('THE_SAME_HMAC_KEY', [ // Single valid audience 'aud' => 'https://my-application.tld', // Multiple valid issuers 'iss' => ['Expected Issuer', 'Alternate Issuer'], ]); ``` ### Algorithm Choices [](#algorithm-choices) The following algorithms are currently included with the library: - **HS256** - **HS384** - **HS512** - **RS256** *(requires the OpenSSL extension)* - **RS384** *(requires the OpenSSL extension)* - **RS512** *(requires the OpenSSL extension)* You may use any of the built-in algorithms by simply including the relevant trait(s) in your JWT model. ``` use Lindelius\JWT\Algorithm\RSA\RS256; use Lindelius\JWT\JWT; class MyJWT extends JWT { use RS256; } $jwt = MyJWT::create('RS256'); ``` If you would like to use an algorithm that is not yet included with the library you can easily add support for it by implementing the required `encodeWithX()` and `verifyWithX()` methods (in the same fashion as the currently included traits). ### Leeway Time [](#leeway-time) If your application servers suffer from clock skew, you can make use of the `JWT::$leeway` property to give them a couple of extra seconds when verifying certain claims (`exp`, `iat`, and `nbf`). It's highly recommended to keep the leeway time as low as possible. ``` use Lindelius\JWT\JWT; class MyJWT extends JWT { public static $leeway = 60; } ``` ### Multiple Encryption Keys [](#multiple-encryption-keys) If your application makes use of multiple encryption keys you will, in one way or another, have to keep track of which key was used for which JWT. One way to do this is to use the `kid` header field to include the "key ID" with the JWT. ``` $availableKeys = [ 'key_1' => 'J5hZTw1vtee0PGaoAuaW', 'key_2' => '8zUpiGcaPkNhNGi8oyrq', 'key_3' => 'RfxRP43BIKoSQ7P1GfeO', ]; // Decide which key to use for the JWT $keyId = 'key_2'; // Include the key ID ("kid") in the JWT's header $jwt = MyJWT::create('HS256'); $jwt->setHeaderField('kid', $keyId); $encodedJwt = $jwt->encode($availableKeys[$keyId]); ``` If you use this approach, all you have to do when verifying the JWT is to provide the `JWT::verify()` method with `$availableKeys` and it will automatically look-up and use the correct key. ``` $decodedJwt = MyJWT::decode($encodedJwt); $decodedJwt->verify($availableKeys); ``` Benchmarking ------------ [](#benchmarking) This library is using [PHPBench](https://github.com/phpbench/phpbench) for benchmarking. You can benchmark the library on your own system by running the following command from the library's root folder. ``` ./vendor/bin/phpbench run benchmarks/ --report=default ``` ### Health Score 39 — LowBetter than 86% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity40 Moderate usage in the ecosystem Community16 Small or concentrated contributor base Maturity65 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~120 days Recently: every ~206 days Total 13 Last Release 1926d ago PHP version history (4 changes)0.1PHP ^5.6 || ^7.0 0.7PHP ^7.1 0.9PHP ^7.2 0.9.1PHP ^7.2||^8.0 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/8205651?v=4)[Tom Lindelius](/maintainers/lindelius)[@lindelius](https://github.com/lindelius) --- Top Contributors [![lindelius](https://avatars.githubusercontent.com/u/8205651?v=4)](https://github.com/lindelius "lindelius (146 commits)") --- Tags authenticationjson-web-tokenjwtjwtauthJSON Web Token ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/lindelius-php-jwt/health.svg) ``` [![Health](https://phpackages.com/badges/lindelius-php-jwt/health.svg)](https://phpackages.com/packages/lindelius-php-jwt) ``` ### Alternatives [tymon/jwt-auth JSON Web Token Authentication for Laravel and Lumen 11.5k49.1M350](/packages/tymon-jwt-auth)[php-open-source-saver/jwt-auth JSON Web Token Authentication for Laravel and Lumen 8359.8M53](/packages/php-open-source-saver-jwt-auth)[auth0/auth0-php PHP SDK for Auth0 Authentication and Management APIs. 40820.2M68](/packages/auth0-auth0-php)[auth0/login Auth0 Laravel SDK. Straight-forward and tested methods for implementing authentication, and accessing Auth0's Management API endpoints. 2745.0M3](/packages/auth0-login)[adhocore/jwt Ultra lightweight JSON web token (JWT) library for PHP5.5+. 3031.6M15](/packages/adhocore-jwt)[auth0/symfony Symfony SDK for Auth0 Authentication and Management APIs. 128738.1k](/packages/auth0-symfony) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)