PHPackages                             torugo/jwt - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. torugo/jwt

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

torugo/jwt
==========

Simple library to handle Json Web Tokens.

1.1.0(1y ago)033MITPHPPHP ^8.1

Since Sep 2Pushed 1y ago1 watchersCompare

[ Source](https://github.com/vitor-hugo/jwt)[ Packagist](https://packagist.org/packages/torugo/jwt)[ RSS](/packages/torugo-jwt/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (3)Versions (6)Used By (0)

Torugo PHP-JWT
===============

[](#torugo-php-jwt-)

Simple PHP library to handle Json Web Tokens (JWT).

Table of Contents
==================

[](#table-of-contents-)

- [Requirements](#requirements)
- [Installation via composer](#installation-via-composer)
- [Supported algorithms](#supported-algorithms)
- [Usage](#usage)
    - [Encoding](#encoding)
- [Decoding](#decoding)
    - [Validating the token](#validating-the-token)
    - [Getting the token payload without validating it](#getting-the-token-payload-without-validating-it)
- [Contribute](#contribute)
- [License](#license)

Requirements
============

[](#requirements)

- PHP 8+
- PHP mbstring extension installed and loaded.
- PHP openssl extension installed and loaded.
- Composer 2+

Installation via composer
=========================

[](#installation-via-composer)

```
composer require torugo/jwt
```

Supported algorithms
====================

[](#supported-algorithms)

For now only the algorithms listed below are supported:

AlgorithmJWTALg enumKeyHS256`JWTAlg::HS256`Symmetric keyHS384`JWTAlg::HS384`Symmetric keyHS512`JWTAlg::HS512`Symmetric keyRS256`JWTAlg::RS256`Private/Public RSA keysRS384`JWTAlg::RS384`Private/Public RSA keysRS512`JWTAlg::RS512`Private/Public RSA keysUsage
=====

[](#usage)

Encoding
--------

[](#encoding)

```
use Torugo\JWT\JWT;
use Torugo\JWT\Enums\JwtAlg;

$key = "example_key_Jr6QWaxb7pgerDJgL";

$payload = [
    "sid" => "session_id",
    "uid" => "user_id",
    // ... more data
    "iat" => 1724972934, // if not present, this library adds automatically
    "nbf" => 1724000000, // if not present, this library adds automatically
    "ext" => 1724973234, // if not present, this library adds automatically
];

$jwt = JWT::encode($payload, $key, JWTAlg::HS256);
```

Decoding
========

[](#decoding)

Validating the token
--------------------

[](#validating-the-token)

The method `validate` checks the token signature and the time controls.
Returns the payload content as a `key=>pair` array.

Throws:

- `InvalidTokenException`: When the signature or structure is invalid.
- `ExpiredTokenException`: The token signature is valid, but the token time expired.
- `InvalidKeyException`: When the key type is invalid (not when the key is incorret).

```
use Torugo\JWT\JWT;
use Torugo\JWT\Exceptions\ExpiredTokenException;
use Torugo\JWT\Exceptions\InvalidKeyException;
use Torugo\JWT\Exceptions\InvalidTokenException;

$key = "example_key_Jr6QWaxb7pgerDJgL";

try {
    $payload = JWT::validate($jwt, $key);
} catch (ExpiredTokenException $e) {
    // Handle exception
} catch (InvalidTokenException $e) {
    // Handle exception
} catch (InvalidKeyException $e) {
    // Handle exception
}
```

Getting the token payload without validating it
-----------------------------------------------

[](#getting-the-token-payload-without-validating-it)

Getting token payload without validation is insecure, use this method at your own risk.

```
$payload = JWT::decodePayload($jwt, $key);
```

You can use this method to refresh the token when the token expires.
**Example**

```
try {
    $payload = JWT::decodePayload($jwt, $key);
} catch (ExpiredTokenException $e) {
    // When using RS256, RS384 or RS512 you must also pass the privateKey
    // On HS algorithms it is not needed
    $token = JWT::refreshToken($token, $publicKey, $privatekey);
} catch (\Throwable $e) {
    // Handle exception
}
```

Contribute
==========

[](#contribute)

It is currently not open to contributions, I intend to make it available as soon as possible.

License
=======

[](#license)

This library is licensed under the MIT License - see the LICENSE file for details.

###  Health Score

27

—

LowBetter than 47% of packages

Maintenance34

Infrequent updates — may be unmaintained

Popularity7

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity52

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~6 days

Total

5

Last Release

644d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/2569689?v=4)[Vitor Hugo Meneses Beck](/maintainers/torugo)[@Torugo](https://github.com/Torugo)

---

Top Contributors

[![vitor-hugo](https://avatars.githubusercontent.com/u/32072927?v=4)](https://github.com/vitor-hugo "vitor-hugo (25 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/torugo-jwt/health.svg)

```
[![Health](https://phpackages.com/badges/torugo-jwt/health.svg)](https://phpackages.com/packages/torugo-jwt)
```

###  Alternatives

[kartik-v/yii2-password

Useful password strength validation utilities for Yii Framework 2.0

761.3M17](/packages/kartik-v-yii2-password)[vitalybaev/laravel5-dkim

Laravel 5/6 package for signing outgoing messages with DKIM.

3163.1k](/packages/vitalybaev-laravel5-dkim)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
