PHPackages                             vkoori/laravel-stateless-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. vkoori/laravel-stateless-auth

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

vkoori/laravel-stateless-auth
=============================

Stateless authentication for Laravel using JWT (JSON Web Tokens). This package enables secure, token-based authentication for API endpoints.

0.1.10(11mo ago)0547↓88.6%PHPPHP ^8.1

Since Jul 18Pushed 11mo agoCompare

[ Source](https://github.com/vkoori/laravel-stateless-auth)[ Packagist](https://packagist.org/packages/vkoori/laravel-stateless-auth)[ RSS](/packages/vkoori-laravel-stateless-auth/feed)WikiDiscussions master Synced 3d ago

READMEChangelog (10)Dependencies (2)Versions (12)Used By (0)

JwtAuth for Laravel
===================

[](#jwtauth-for-laravel)

A fully stateless JWT authentication guard and provider for Laravel.
Supports access/refresh tokens, automatic cookie injection, multi-source token parsing (header, query, cookie), and token revocation.

---

✨ Features
----------

[](#-features)

- 🔐 **Custom Laravel guard + provider** (fully stateless)
- ♻️ **Refresh token support**
- 🍪 **Cookie-based tokens (HttpOnly, optional)**
- 📩 **Header / Query string token support**
- 🔄 **Token revocation**
- 💡 **Simple trait-based token issuing**
- ⚡️ **Octane-ready**

---

📦 Installation
--------------

[](#-installation)

```
composer require vkoori/laravel-stateless-auth
```

⚙️ Configuration
----------------

[](#️-configuration)

Publish the config file:

```
php artisan vendor:publish --provider="Vkoori\JwtAuth\AuthServiceProvider"
```

This will publish `config/jwt-guard.php`.

also [read optionally](https://github.com/vkoori/laravel-jwt)

### 🛡 Register the Guard &amp; Provider

[](#-register-the-guard--provider)

In your `config/auth.php`:

```
'guards' => [
    'api' => [
        'driver' => 'jwt-auth',
        'provider' => 'jwt-users',
    ],
],

'providers' => [
    'jwt-users' => [
        'driver' => 'jwt-auth-provider',
        'model' => App\Models\User::class,
    ],
],
```

### 👤 Token Support on User Model

[](#-token-support-on-user-model)

Your `User` model must use the provided trait:

```
use Vkoori\JwtAuth\Auth\Traits\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens;
}
```

### 🧩 Custom Cache Driver for JWT Token Storage

[](#-custom-cache-driver-for-jwt-token-storage)

To prevent JWT tokens from being removed during global cache clears (`php artisan cache:clear`), you can isolate token storage using a **custom cache store**.

#### 🔧 Configuration

[](#-configuration)

*Use one of the existing cache stores, or define a dedicated store for JWT.*

1. Add a new cache store in `config/cache.php`:

```
'stores' => [
    // Other cache stores...

    'redis_jwt' => [
        'driver' => 'redis',
        'connection' => env('REDIS_JWT_CONNECTION', 'jwt'),
        'lock_connection' => env('REDIS_CACHE_LOCK_CONNECTION', 'default'),
    ],
],
```

2. Define a dedicated Redis connection in `config/database.php`:

```
'redis' => [

    // Other connections...

    'jwt' => [
        'url' => env('REDIS_URL'),
        'host' => env('REDIS_HOST', '127.0.0.1'),
        'username' => env('REDIS_USERNAME'),
        'password' => env('REDIS_PASSWORD'),
        'port' => env('REDIS_PORT', '6379'),
        'database' => env('REDIS_JWT_DB', '2'),
    ],
],
```

3. Set the custom driver on your `Authenticatable` model using the `HasApiTokens` trait:

```
use Vkoori\JwtAuth\Auth\Traits\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens;

    public ?string $jwtCacheDriver = 'redis_jwt';
}
```

#### 💡 Why This Matters

[](#-why-this-matters)

By using a dedicated Redis cache store for JWT tokens:

- php artisan cache:clear won’t wipe out active tokens
- You can still manually clear tokens when needed:

```
php artisan cache:clear redis_jwt
```

This is especially useful when `enable_revoke` is set to `true` in your config, ensuring users are logged out securely while preserving system-wide cache stability.

### 🔐 JWT Scope Middleware

[](#-jwt-scope-middleware)

This package includes a built-in `JwtScopeMiddleware` to restrict route access based on scopes defined in the JWT token payload.

#### 🔧 Middleware Registration

[](#-middleware-registration)

**✅ Laravel 12+**

In Laravel 12+, middleware is registered using the `bootstrap/app.php`:

```
    ->withMiddleware(function (Middleware $middleware): void {
        $middleware
            ->alias([
                'jwt.scope' => \Vkoori\JwtAuth\Middlewares\JwtScopeMiddleware::class,
            ]);
    })
```

**🧱 Laravel 11 and below**

If you're using Laravel 11 or older, register the middleware in `app/Http/Kernel.php`:

```
protected $routeMiddleware = [
    // ...
    'jwt.scope' => \Vkoori\JwtAuth\Middlewares\JwtScopeMiddleware::class,
];
```

#### ✅ Defining Scopes in Your JWT

[](#-defining-scopes-in-your-jwt)

Make sure you include the `scope` claim when generating your access tokens. Example:

```
$user->accessToken(scopes: ['admin', 'manager'])
```

#### 🔒 Protect Routes Using Scope Middleware

[](#-protect-routes-using-scope-middleware)

You can pass multiple allowed scopes or single scope, and access will be granted if at least one matches:

```
Route::middleware(['jwt.scope:admin'])->group(function () {
    Route::get('/admin/dashboard', [AdminController::class, 'index']);
});

Route::middleware(['jwt.scope:admin,other'])->group(function () {
    Route::get('/admin/dashboard', [AdminController::class, 'index']);
});
```

#### ⚠️ Error Handling

[](#️-error-handling)

- If the user is unauthenticated, a 401 Unauthorized will be thrown.
- If the token lacks the required scopes, a 403 Forbidden (ScopeException) will be raised.

###  Health Score

31

—

LowBetter than 66% of packages

Maintenance52

Moderate activity, may be stable

Popularity16

Limited adoption so far

Community2

Small or concentrated contributor base

Maturity42

Maturing project, gaining track record

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~1 days

Total

11

Last Release

339d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/87c1574170082a3c779cca97f90846e478dcc46114fc66480fbd04975b71a746?d=identicon)[vkoori](/maintainers/vkoori)

---

Tags

jwtauthguard

### Embed Badge

![Health badge](/badges/vkoori-laravel-stateless-auth/health.svg)

```
[![Health](https://phpackages.com/badges/vkoori-laravel-stateless-auth/health.svg)](https://phpackages.com/packages/vkoori-laravel-stateless-auth)
```

###  Alternatives

[tymon/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

11.7k51.8M374](/packages/tymon-jwt-auth)[php-open-source-saver/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

84611.1M64](/packages/php-open-source-saver-jwt-auth)[auth0/auth0-php

PHP SDK for Auth0 Authentication and Management APIs.

41021.9M91](/packages/auth0-auth0-php)[auth0/login

Auth0 Laravel SDK. Straight-forward and tested methods for implementing authentication, and accessing Auth0's Management API endpoints.

2795.3M3](/packages/auth0-login)[adhocore/jwt

Ultra lightweight JSON web token (JWT) library for PHP5.5+.

3031.8M29](/packages/adhocore-jwt)[auth0/symfony

Symfony SDK for Auth0 Authentication and Management APIs.

128814.6k](/packages/auth0-symfony)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
