PHPackages                             lx3gp/think-jwt - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. lx3gp/think-jwt

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

lx3gp/think-jwt
===============

A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.

1.0.7(4y ago)024Apache-2.0PHPPHP ^7.1||^8.0

Since Mar 25Pushed 4y agoCompare

[ Source](https://github.com/lx3gp/think-jwt)[ Packagist](https://packagist.org/packages/lx3gp/think-jwt)[ Docs](https://github.com/lx3gp/think-jwt)[ RSS](/packages/lx3gp-think-jwt/feed)WikiDiscussions main Synced today

READMEChangelog (7)Dependencies (1)Versions (8)Used By (0)

[![Build Status](https://github.com/firebase/php-jwt/actions/workflows/tests.yml/badge.svg)](https://github.com/firebase/php-jwt/actions/workflows/tests.yml/badge.svg)[![Latest Stable Version](https://camo.githubusercontent.com/bebc7cfe76c18d3d232ea4163cac4402a05152f133d87d30592fc8cf4247e44a/68747470733a2f2f706f7365722e707567782e6f72672f66697265626173652f7068702d6a77742f762f737461626c65)](https://packagist.org/packages/firebase/php-jwt)[![Total Downloads](https://camo.githubusercontent.com/067ce010f6f401b143ead4b6d7d09d3bf778445a701d10339f75de812285d798/68747470733a2f2f706f7365722e707567782e6f72672f66697265626173652f7068702d6a77742f646f776e6c6f616473)](https://packagist.org/packages/firebase/php-jwt)[![License](https://camo.githubusercontent.com/c4297c941ea39c4f981b2490a343a9a99a721aec347fedf367cd13e30a1fdce4/68747470733a2f2f706f7365722e707567782e6f72672f66697265626173652f7068702d6a77742f6c6963656e7365)](https://packagist.org/packages/firebase/php-jwt)

PHP-JWT
=======

[](#php-jwt)

A simple library to encode and decode JSON Web Tokens (JWT) in PHP, conforming to [RFC 7519](https://tools.ietf.org/html/rfc7519).

Installation
------------

[](#installation)

Use composer to manage your dependencies and download PHP-JWT:

```
composer require lx3gp/think-jwt
```

Optionally, install the `paragonie/sodium_compat` package from composer if your php is &lt; 7.2 or does not have libsodium installed:

```
composer require paragonie/sodium_compat
```

Example
-------

[](#example)

```
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

$key = "example_key";
$payload = array(
    "iss" => "http://example.org",
    "aud" => "http://example.com",
    "iat" => 1356999524,
    "nbf" => 1357000000
);

/**
 * IMPORTANT:
 * You must specify supported algorithms for your application. See
 * https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
 * for a list of spec-compliant algorithms.
 */
$jwt = JWT::encode($payload, $key, 'HS256');
$decoded = JWT::decode($jwt, new Key($key, 'HS256'));

print_r($decoded);

/*
 NOTE: This will now be an object instead of an associative array. To get
 an associative array, you will need to cast it as such:
*/

$decoded_array = (array) $decoded;

/**
 * You can add a leeway to account for when there is a clock skew times between
 * the signing and verifying servers. It is recommended that this leeway should
 * not be bigger than a few minutes.
 *
 * Source: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#nbfDef
 */
JWT::$leeway = 60; // $leeway in seconds
$decoded = JWT::decode($jwt, new Key($key, 'HS256'));
```

Example with RS256 (openssl)
----------------------------

[](#example-with-rs256-openssl)

```
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

$privateKey =  "example.com",
    "iat" => 1356999524,
    "nbf" => 1357000000
);

$jwt = JWT::encode($payload, $privateKey, 'RS256');
echo "Encode:\n" . print_r($jwt, true) . "\n";

$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));

/*
 NOTE: This will now be an object instead of an associative array. To get
 an associative array, you will need to cast it as such:
*/

$decoded_array = (array) $decoded;
echo "Decode:\n" . print_r($decoded_array, true) . "\n";
```

Example with a passphrase
-------------------------

[](#example-with-a-passphrase)

```
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

// Your passphrase
$passphrase = '[YOUR_PASSPHRASE]';

// Your private key file with passphrase
// Can be generated with "ssh-keygen -t rsa -m pem"
$privateKeyFile = '/path/to/key-with-passphrase.pem';

// Create a private key of type "resource"
$privateKey = openssl_pkey_get_private(
    file_get_contents($privateKeyFile),
    $passphrase
);

$payload = array(
    "iss" => "example.org",
    "aud" => "example.com",
    "iat" => 1356999524,
    "nbf" => 1357000000
);

$jwt = JWT::encode($payload, $privateKey, 'RS256');
echo "Encode:\n" . print_r($jwt, true) . "\n";

// Get public key from the private key, or pull from from a file.
$publicKey = openssl_pkey_get_details($privateKey)['key'];

$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));
echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
```

Example with EdDSA (libsodium and Ed25519 signature)
----------------------------------------------------

[](#example-with-eddsa-libsodium-and-ed25519-signature)

```
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

// Public and private keys are expected to be Base64 encoded. The last
// non-empty line is used so that keys can be generated with
// sodium_crypto_sign_keypair(). The secret keys generated by other tools may
// need to be adjusted to match the input expected by libsodium.

$keyPair = sodium_crypto_sign_keypair();

$privateKey = base64_encode(sodium_crypto_sign_secretkey($keyPair));

$publicKey = base64_encode(sodium_crypto_sign_publickey($keyPair));

$payload = array(
    "iss" => "example.org",
    "aud" => "example.com",
    "iat" => 1356999524,
    "nbf" => 1357000000
);

$jwt = JWT::encode($payload, $privateKey, 'EdDSA');
echo "Encode:\n" . print_r($jwt, true) . "\n";

$decoded = JWT::decode($jwt, new Key($publicKey, 'EdDSA'));
echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
```

Using JWKs
----------

[](#using-jwks)

```
use Firebase\JWT\JWK;
use Firebase\JWT\JWT;

// Set of keys. The "keys" key is required. For example, the JSON response to
// this endpoint: https://www.gstatic.com/iap/verify/public_key-jwk
$jwks = ['keys' => []];

// JWK::parseKeySet($jwks) returns an associative array of **kid** to Firebase\JWT\Key
// objects. Pass this as the second parameter to JWT::decode.
JWT::decode($payload, JWK::parseKeySet($jwks));
```

Miscellaneous
-------------

[](#miscellaneous)

#### Casting to array

[](#casting-to-array)

The return value of `JWT::decode` is the generic PHP object `stdClass`. If you'd like to handle with arrays instead, you can do the following:

```
// return type is stdClass
$decoded = JWT::decode($payload, $keys);

// cast to array
$decoded = json_decode(json_encode($decoded), true);
```

Changelog
---------

[](#changelog)

#### 6.1.0 / 2022-03-23

[](#610--2022-03-23)

- Drop support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0
- Add parameter typing and return types where possible

#### 6.0.0 / 2022-01-24

[](#600--2022-01-24)

- **Backwards-Compatibility Breaking Changes**: See the [Release Notes](https://github.com/firebase/php-jwt/releases/tag/v6.0.0) for more information.
- New Key object to prevent key/algorithm type confusion (#365)
- Add JWK support (#273)
- Add ES256 support (#256)
- Add ES384 support (#324)
- Add Ed25519 support (#343)

#### 5.0.0 / 2017-06-26

[](#500--2017-06-26)

- Support RS384 and RS512. See [\#117](https://github.com/firebase/php-jwt/pull/117). Thanks [@joostfaassen](https://github.com/joostfaassen)!
- Add an example for RS256 openssl. See [\#125](https://github.com/firebase/php-jwt/pull/125). Thanks [@akeeman](https://github.com/akeeman)!
- Detect invalid Base64 encoding in signature. See [\#162](https://github.com/firebase/php-jwt/pull/162). Thanks [@psignoret](https://github.com/psignoret)!
- Update `JWT::verify` to handle OpenSSL errors. See [\#159](https://github.com/firebase/php-jwt/pull/159). Thanks [@bshaffer](https://github.com/bshaffer)!
- Add `array` type hinting to `decode` method See [\#101](https://github.com/firebase/php-jwt/pull/101). Thanks [@hywak](https://github.com/hywak)!
- Add all JSON error types. See [\#110](https://github.com/firebase/php-jwt/pull/110). Thanks [@gbalduzzi](https://github.com/gbalduzzi)!
- Bugfix 'kid' not in given key list. See [\#129](https://github.com/firebase/php-jwt/pull/129). Thanks [@stampycode](https://github.com/stampycode)!
- Miscellaneous cleanup, documentation and test fixes. See [\#107](https://github.com/firebase/php-jwt/pull/107), [\#115](https://github.com/firebase/php-jwt/pull/115), [\#160](https://github.com/firebase/php-jwt/pull/160), [\#161](https://github.com/firebase/php-jwt/pull/161), and [\#165](https://github.com/firebase/php-jwt/pull/165). Thanks [@akeeman](https://github.com/akeeman), [@chinedufn](https://github.com/chinedufn), and [@bshaffer](https://github.com/bshaffer)!

#### 4.0.0 / 2016-07-17

[](#400--2016-07-17)

- Add support for late static binding. See [\#88](https://github.com/firebase/php-jwt/pull/88) for details. Thanks to [@chappy84](https://github.com/chappy84)!
- Use static `$timestamp` instead of `time()` to improve unit testing. See [\#93](https://github.com/firebase/php-jwt/pull/93) for details. Thanks to [@josephmcdermott](https://github.com/josephmcdermott)!
- Fixes to exceptions classes. See [\#81](https://github.com/firebase/php-jwt/pull/81) for details. Thanks to [@Maks3w](https://github.com/Maks3w)!
- Fixes to PHPDoc. See [\#76](https://github.com/firebase/php-jwt/pull/76) for details. Thanks to [@akeeman](https://github.com/akeeman)!

#### 3.0.0 / 2015-07-22

[](#300--2015-07-22)

- Minimum PHP version updated from `5.2.0` to `5.3.0`.
- Add `\Firebase\JWT` namespace. See [\#59](https://github.com/firebase/php-jwt/pull/59) for details. Thanks to [@Dashron](https://github.com/Dashron)!
- Require a non-empty key to decode and verify a JWT. See [\#60](https://github.com/firebase/php-jwt/pull/60) for details. Thanks to [@sjones608](https://github.com/sjones608)!
- Cleaner documentation blocks in the code. See [\#62](https://github.com/firebase/php-jwt/pull/62) for details. Thanks to [@johanderuijter](https://github.com/johanderuijter)!

#### 2.2.0 / 2015-06-22

[](#220--2015-06-22)

- Add support for adding custom, optional JWT headers to `JWT::encode()`. See [\#53](https://github.com/firebase/php-jwt/pull/53/files) for details. Thanks to [@mcocaro](https://github.com/mcocaro)!

#### 2.1.0 / 2015-05-20

[](#210--2015-05-20)

- Add support for adding a leeway to `JWT:decode()` that accounts for clock skew between signing and verifying entities. Thanks to [@lcabral](https://github.com/lcabral)!
- Add support for passing an object implementing the `ArrayAccess` interface for `$keys` argument in `JWT::decode()`. Thanks to [@aztech-dev](https://github.com/aztech-dev)!

#### 2.0.0 / 2015-04-01

[](#200--2015-04-01)

- **Note**: It is strongly recommended that you update to &gt; v2.0.0 to address known security vulnerabilities in prior versions when both symmetric and asymmetric keys are used together.
- Update signature for `JWT::decode(...)` to require an array of supported algorithms to use when verifying token signatures.

Tests
-----

[](#tests)

Run the tests using phpunit:

```
$ pear install PHPUnit
$ phpunit --configuration phpunit.xml.dist
PHPUnit 3.7.10 by Sebastian Bergmann.
.....
Time: 0 seconds, Memory: 2.50Mb
OK (5 tests, 5 assertions)
```

New Lines in private keys
-------------------------

[](#new-lines-in-private-keys)

If your private key contains `\n` characters, be sure to wrap it in double quotes `""`and not single quotes `''` in order to properly interpret the escaped characters.

License
-------

[](#license)

[3-Clause BSD](http://opensource.org/licenses/BSD-3-Clause).

###  Health Score

25

—

LowBetter than 35% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity6

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity59

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~1 days

Total

7

Last Release

1554d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/33350200?v=4)[lx3gp](/maintainers/lx3gp)[@lx3gp](https://github.com/lx3gp)

---

Top Contributors

[![lx3gp](https://avatars.githubusercontent.com/u/33350200?v=4)](https://github.com/lx3gp "lx3gp (21 commits)")

---

Tags

jwtthinkphpphp71

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/lx3gp-think-jwt/health.svg)

```
[![Health](https://phpackages.com/badges/lx3gp-think-jwt/health.svg)](https://phpackages.com/packages/lx3gp-think-jwt)
```

###  Alternatives

[firebase/php-jwt

A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.

10.0k478.8M2.7k](/packages/firebase-php-jwt)[lcobucci/jwt

A simple library to work with JSON Web Token and JSON Web Signature

7.6k338.7M1.1k](/packages/lcobucci-jwt)[tymon/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

11.7k51.8M370](/packages/tymon-jwt-auth)[namshi/jose

JSON Object Signing and Encryption library for PHP.

1.8k103.2M103](/packages/namshi-jose)[web-token/jwt-framework

JSON Object Signing and Encryption library for PHP and Symfony Bundle.

95220.7M102](/packages/web-token-jwt-framework)[php-open-source-saver/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

84611.1M63](/packages/php-open-source-saver-jwt-auth)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
