PHPackages                             token/jwt - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. token/jwt

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

token/jwt
=========

A simple library to work with JSON Web Token and JSON Web Signature.

v4.4.0(1y ago)010.1kMITPHPPHP ^7.4 || ^8.0

Since Apr 15Pushed 1y ago1 watchersCompare

[ Source](https://github.com/dependencies-packagist/jwt)[ Packagist](https://packagist.org/packages/token/jwt)[ Docs](https://github.com/dependencies-packagist/jwt)[ RSS](/packages/token-jwt/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependenciesVersions (3)Used By (0)

JSON Web Token and JSON Web Signature
=====================================

[](#json-web-token-and-json-web-signature)

A simple library to work with JSON Web Token and JSON Web Signature based on the [RFC 7519](https://tools.ietf.org/html/rfc7519).

[![GitHub Tag](https://camo.githubusercontent.com/472a79e97488e6fc61cbaf1cc1284d6416ba93228244f504fbed6714b0f66c7c/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f7461672f646570656e64656e636965732d7061636b61676973742f6a7774)](https://github.com/dependencies-packagist/jwt/tags)[![Total Downloads](https://camo.githubusercontent.com/fbe3747005ed23c9e24a4428b4a83d42e796f2bc2b04bd144b84c694fe3b8b55/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f746f6b656e2f6a77743f7374796c653d666c61742d737175617265)](https://packagist.org/packages/token/jwt)[![Packagist Version](https://camo.githubusercontent.com/b45340315aedf7efc94aab436f17d60ea0b993bfb7bbe4c873ea18b041a70358/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f746f6b656e2f6a7774)](https://packagist.org/packages/token/jwt)[![Packagist PHP Version Support](https://camo.githubusercontent.com/0b286ffd778c0cd3ace3bb08d66c7c4f4a64c46c12ef20216e266637e4f0d30b/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f746f6b656e2f6a7774)](https://github.com/dependencies-packagist/jwt)[![Packagist License](https://camo.githubusercontent.com/b1ebbaeb5e008d75142b06d363fb38f64e7a07a6fcd02ae3a9ec6012cfadcef7/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f646570656e64656e636965732d7061636b61676973742f6a7774)](https://github.com/dependencies-packagist/jwt)

Installation
------------

[](#installation)

You can install the package via [Composer](https://getcomposer.org/):

```
composer require token/jwt
```

Documentation
-------------

[](#documentation)

The documentation is available at .

Supported Algorithms
--------------------

[](#supported-algorithms)

This library supports signing and verifying tokens with both symmetric and asymmetric algorithms. Encryption is not yet supported.

Each algorithm will produce signature with different length. If you have constraints regarding the length of the issued tokens, choose the algorithms that generate shorter output (`HS256`, `RS256`, and `ES256`).

### Symmetric algorithms

[](#symmetric-algorithms)

Symmetric algorithms perform signature creation and verification using the very same key/secret. They're usually recommended for scenarios where these operations are handled by the very same component.

NameDescriptionClassKey length req.`HS256`HMAC using SHA-256`\Token\JWT\Signature\Hmac\HS256``>= 256 bits``HS384`HMAC using SHA-384`\Token\JWT\Signature\Hmac\HS384``>= 384 bits``HS512`HMAC using SHA-512`\Token\JWT\Signature\Hmac\HS512``>= 512 bits`### Asymmetric algorithms

[](#asymmetric-algorithms)

Asymmetric algorithms perform signature creation with private/secret keys and verification with public keys. They're usually recommended for scenarios where creation is handled by a component and verification by many others.

NameDescriptionClassKey length req.`ES256`ECDSA using P-256 and SHA-256`\Token\JWT\Signature\Ecdsa\ES256``== 256 bits``ES384`ECDSA using P-384 and SHA-384`\Token\JWT\Signature\Ecdsa\ES384``== 384 bits``ES512`ECDSA using P-521 and SHA-512`\Token\JWT\Signature\Ecdsa\ES512``== 521 bits``RS256`RSASSA-PKCS1-v1\_5 using SHA-256`\Token\JWT\Signature\Rsa\RS256``>= 2048 bits``RS384`RSASSA-PKCS1-v1\_5 using SHA-384`\Token\JWT\Signature\Rsa\RS384``>= 2048 bits``RS512`RSASSA-PKCS1-v1\_5 using SHA-512`\Token\JWT\Signature\Rsa\RS512``>= 2048 bits``EdDSA`EdDSA signature algorithms`\Token\JWT\Signature\Eddsa``>= 256 bits`### `none` algorithm

[](#none-algorithm)

The `none` algorithm as described by [JWT standard](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms) is intentionally not implemented and not supported. The risk of misusing it is too high, and even where other means guarantee the token validity a symmetric algorithm shouldn't represent a computational bottleneck with modern hardware.

Usage
-----

[](#usage)

### Issuing tokens

[](#issuing-tokens)

```
use Token\JWT\Builder;
use Token\JWT\Encoding\ChainedFormatter;
use Token\JWT\Encoding\JoseEncoder;
use Token\JWT\Signature\Hmac\HS256;
use Token\JWT\Key;

$algorithm  = new HS256();
$signingKey = Key::plainText(random_bytes(32));

$now     = new DateTimeImmutable();
$builder = new Builder(new JoseEncoder(), ChainedFormatter::default());
$token   = $builder
    // Configures the issuer (iss claim)
    ->issuedBy('http://example.com')
    // Configures the audience (aud claim)
    ->permittedFor('http://example.org')
    // Configures the id (jti claim)
    ->identifiedBy('4f1g23a12aa')
    // Configures the time that the token was issue (iat claim)
    ->issuedAt($now)
    // Configures the time that the token can be used (nbf claim)
    ->canOnlyBeUsedAfter($now->modify('+1 minute'))
    // Configures the expiration time of the token (exp claim)
    ->expiresAt($now->modify('+1 hour'))
    // Configures a new claim, called "uid"
    ->withClaim('uid', 1)
    // Configures a new header, called "foo"
    ->withHeader('foo', 'bar')
    // Builds a new token
    ->getToken($algorithm, $signingKey);

var_dump($token->toString());
```

### Parsing tokens

[](#parsing-tokens)

To parse a token you must create a new parser and ask it to parse a string:

```
use Token\JWT\Parser;
use Token\JWT\Encoding\JoseEncoder;

$parser = new Parser(new JoseEncoder());

$token = $parser->parse(
    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
    . 'eyJzdWIiOiIxMjM0NTY3ODkwIn0.'
    . '2gSBz9EOsQRN9I-3iSxJoFt7NtgV6Rm0IL6a8CAwl3Q'
);

var_dump($token->headers()); // Retrieves the token headers
var_dump($token->claims()); // Retrieves the token claims
```

### Validating tokens

[](#validating-tokens)

This method goes through every single constraint in the set, groups all the violations, and throws an exception with the grouped violations:

```
use Token\JWT\Encoding\JoseEncoder;
use Token\JWT\Exceptions\RequiredConstraintsViolated;
use Token\JWT\Parser;
use Token\JWT\Validation\Constraint\RelatedTo;
use Token\JWT\Validation\Validator;

$parser = new Parser(new JoseEncoder());

$token = $parser->parse(
    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
    . 'eyJzdWIiOiIxMjM0NTY3ODkwIn0.'
    . '2gSBz9EOsQRN9I-3iSxJoFt7NtgV6Rm0IL6a8CAwl3Q'
);

$validator = new Validator();

try {
    // $validator->assert($token, new RelatedTo('1234567891'));// throw an exception
    $validator->assert($token, new RelatedTo('1234567890'));
} catch (RequiredConstraintsViolated $e) {
    // list of constraints violation exceptions:
    var_dump($e->violations());
}

var_dump($token->toString());
```

#### Available constraints

[](#available-constraints)

This library provides the following constraints:

- `Token\JWT\Validation\Constraint\IdentifiedBy`: verifies if the claim `jti` matches the expected value
- `Token\JWT\Validation\Constraint\IssuedBy`: verifies if the claim `iss` is listed as expected values
- `Token\JWT\Validation\Constraint\PermittedFor`: verifies if the claim `aud` contains the expected value
- `Token\JWT\Validation\Constraint\RelatedTo`: verifies if the claim `sub` matches the expected value
- `Token\JWT\Validation\Constraint\SignedWith`: verifies if the token was signed with the expected signer and key
- `Token\JWT\Validation\Constraint\ValidAt`: verifies the claims `iat`, `nbf`, and `exp` (supports leeway configuration)

Acknowledgements
----------------

[](#acknowledgements)

This project is heavily inspired by and refactored from [@lcobucci](https://github.com/lcobucci)'s excellent work on [lcobucci/jwt](https://github.com/lcobucci/jwt).

We appreciate the clean architecture and thoughtful design of the original implementation, which made it much easier to build upon and extend with our own features.

> Original Project License: BSD-3-Clause license
> Please refer to the original repository for detailed history and contributions.

License
-------

[](#license)

Nacosvel Contracts is made available under the MIT License (MIT). Please see [License File](LICENSE) for more information.

###  Health Score

31

—

LowBetter than 68% of packages

Maintenance48

Moderate activity, may be stable

Popularity18

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity43

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

2

Last Release

397d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/2da9b458375a1b7972b7c4d26a5bf8f3e48db305e8805da36f253956f33c5568?d=identicon)[jundayw](/maintainers/jundayw)

---

Top Contributors

[![jundayw](https://avatars.githubusercontent.com/u/16873970?v=4)](https://github.com/jundayw "jundayw (25 commits)")

---

Tags

jwtJWS

### Embed Badge

![Health badge](/badges/token-jwt/health.svg)

```
[![Health](https://phpackages.com/badges/token-jwt/health.svg)](https://phpackages.com/packages/token-jwt)
```

###  Alternatives

[lcobucci/jwt

A simple library to work with JSON Web Token and JSON Web Signature

7.5k316.6M895](/packages/lcobucci-jwt)[namshi/jose

JSON Object Signing and Encryption library for PHP.

1.8k99.6M101](/packages/namshi-jose)[web-token/jwt-framework

JSON Object Signing and Encryption library for PHP and Symfony Bundle.

94818.9M77](/packages/web-token-jwt-framework)[web-token/jwt-library

JWT library

2011.2M83](/packages/web-token-jwt-library)[bizley/jwt

JWT integration for Yii 2

67425.3k2](/packages/bizley-jwt)[web-token/jwt-bundle

JWT Bundle of the JWT Framework.

132.5M7](/packages/web-token-jwt-bundle)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)