PHPackages weilewantieba/jwt - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. weilewantieba/jwt ActiveLibrary[Authentication & Authorization](/categories/authentication) weilewantieba/jwt ================= A simple library to work with JSON Web Token and JSON Web Signature v2.0(3y ago)0221BSD-3-ClausePHPPHP ^5.6 || ^8.0 Since Jan 4Pushed 3y ago1 watchersCompare [ Source](https://github.com/weilewantieba/jwt)[ Packagist](https://packagist.org/packages/weilewantieba/jwt)[ RSS](/packages/weilewantieba-jwt/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (5)Versions (3)Used By (1) JWT === [](#jwt) [![Gitter](https://camo.githubusercontent.com/82b37b704e2e79c5d50f45f6cf0aab5873f32ffcca6c38864d72b1a66c2ba48c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4749545445522d4a4f494e253230434841542532302545322538362539322d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](https://gitter.im/lcobucci/jwt?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![Total Downloads](https://camo.githubusercontent.com/1862f3190a73581e8fc508aca688fd0ce7cb95039781fd1900f051b1d1b5afa6/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6c636f62756363692f6a77742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/lcobucci/jwt) [![Latest Stable Version](https://camo.githubusercontent.com/0b37242cd552fe13cf8fcfc7eaadb1cafaecccb4828017654317bf5f54a13af6/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6c636f62756363692f6a77742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/lcobucci/jwt) [![Branch master](https://camo.githubusercontent.com/d13ff590538bd288fc9f75cbfe383af4eaaaa0c356f9e90aed2263bb322bd87f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6272616e63682d6d61737465722d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/d13ff590538bd288fc9f75cbfe383af4eaaaa0c356f9e90aed2263bb322bd87f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6272616e63682d6d61737465722d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)[![Build Status](https://camo.githubusercontent.com/c9956e0430d7ad1fb469ef4c24a0edb80a9eb3dde13aa97e29918681363a1660/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f6c636f62756363692f6a77742f6d61737465722e7376673f7374796c653d666c61742d737175617265)](http://travis-ci.org/#!/lcobucci/jwt)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/50b09b392b318ee07e795e15213284080aaca8e5abc20c91a716ef37657c43b9/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f672f6c636f62756363692f6a77742f6d61737465722e7376673f7374796c653d666c61742d737175617265)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=master)[![Code Coverage](https://camo.githubusercontent.com/d30a2c69d9327ab2e7f458f225f5fd42106391b9baea82c73a751759100a7068/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f636f7665726167652f672f6c636f62756363692f6a77742f6d61737465722e7376673f7374796c653d666c61742d737175617265)](https://scrutinizer-ci.com/g/lcobucci/jwt/?branch=master) A simple library to work with JSON Web Token and JSON Web Signature (requires PHP 5.6+). The implementation is based on the [RFC 7519](https://tools.ietf.org/html/rfc7519). Installation ------------ [](#installation) Package is available on [Packagist](http://packagist.org/packages/lcobucci/jwt), you can install it using [Composer](http://getcomposer.org). ``` composer require weilewantieba/jwt ``` ### Dependencies [](#dependencies) - PHP 5.6+ - OpenSSL Extension Basic usage ----------- [](#basic-usage) ### Creating [](#creating) Just use the builder to create a new JWT/JWS tokens: ``` use Lcobucci\JWT\Builder; $time = time(); $token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim) ->permittedFor('http://example.org') // Configures the audience (aud claim) ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item ->issuedAt($time) // Configures the time that the token was issue (iat claim) ->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim) ->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim) ->withClaim('uid', 1) // Configures a new claim, called "uid" ->getToken(); // Retrieves the generated token $token->getHeaders(); // Retrieves the token headers $token->getClaims(); // Retrieves the token claims echo $token->getHeader('jti'); // will print "4f1g23a12aa" echo $token->getClaim('iss'); // will print "http://example.com" echo $token->getClaim('uid'); // will print "1" echo $token; // The string representation of the object is a JWT string (pretty easy, right?) ``` ### Parsing from strings [](#parsing-from-strings) Use the parser to create a new token from a JWT string (using the previous token as example): ``` use Lcobucci\JWT\Parser; $token = (new Parser())->parse((string) $token); // Parses from a string $token->getHeaders(); // Retrieves the token header $token->getClaims(); // Retrieves the token claims echo $token->getHeader('jti'); // will print "4f1g23a12aa" echo $token->getClaim('iss'); // will print "http://example.com" echo $token->getClaim('uid'); // will print "1" ``` ### Validating [](#validating) We can easily validate if the token is valid (using the previous token and time as example): ``` use Lcobucci\JWT\ValidationData; $data = new ValidationData(); // It will use the current time to validate (iat, nbf and exp) $data->setIssuer('http://example.com'); $data->setAudience('http://example.org'); $data->setId('4f1g23a12aa'); var_dump($token->validate($data)); // false, because token cannot be used before now() + 60 $data->setCurrentTime($time + 61); // changing the validation time to future var_dump($token->validate($data)); // true, because current time is between "nbf" and "exp" claims $data->setCurrentTime($time + 4000); // changing the validation time to future var_dump($token->validate($data)); // false, because token is expired since current time is greater than exp // We can also use the $leeway parameter to deal with clock skew (see notes below) // If token's claimed time is invalid but the difference between that and the validation time is less than $leeway, // then token is still considered valid $dataWithLeeway = new ValidationData($time, 20); $dataWithLeeway->setIssuer('http://example.com'); $dataWithLeeway->setAudience('http://example.org'); $dataWithLeeway->setId('4f1g23a12aa'); var_dump($token->validate($dataWithLeeway)); // false, because token can't be used before now() + 60, not within leeway $dataWithLeeway->setCurrentTime($time + 51); // changing the validation time to future var_dump($token->validate($dataWithLeeway)); // true, because current time plus leeway is between "nbf" and "exp" claims $dataWithLeeway->setCurrentTime($time + 3610); // changing the validation time to future but within leeway var_dump($token->validate($dataWithLeeway)); // true, because current time - 20 seconds leeway is less than exp $dataWithLeeway->setCurrentTime($time + 4000); // changing the validation time to future outside of leeway var_dump($token->validate($dataWithLeeway)); // false, because token is expired since current time is greater than exp ``` #### Important [](#important) - You have to configure `ValidationData` informing all claims you want to validate the token. - If `ValidationData` contains claims that are not being used in token or token has claims that are not configured in `ValidationData` they will be ignored by `Token::validate()`. - `exp`, `nbf` and `iat` claims are configured by default in `ValidationData::__construct()`with the current UNIX time (`time()`). - The optional `$leeway` parameter of `ValidationData` will cause us to use that number of seconds of leeway when validating the time-based claims, pretending we are further in the future for the "Issued At" (`iat`) and "Not Before" (`nbf`) claims and pretending we are further in the past for the "Expiration Time" (`exp`) claim. This allows for situations where the clock of the issuing server has a different time than the clock of the verifying server, as mentioned in [section 4.1 of RFC 7519](https://tools.ietf.org/html/rfc7519#section-4.1). Token signature --------------- [](#token-signature) We can use signatures to be able to verify if the token was not modified after its generation. This library implements Hmac, RSA and ECDSA signatures (using 256, 384 and 512). ### Important [](#important-1) Do not allow the string sent to the Parser to dictate which signature algorithm to use, or else your application will be vulnerable to a [critical JWT security vulnerability](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries). The examples below are safe because the choice in `Signer` is hard-coded and cannot be influenced by malicious users. ### Hmac [](#hmac) Hmac signatures are really simple to be used: ``` use Lcobucci\JWT\Builder; use Lcobucci\JWT\Signer\Key; use Lcobucci\JWT\Signer\Hmac\Sha256; $signer = new Sha256(); $time = time(); $token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim) ->permittedFor('http://example.org') // Configures the audience (aud claim) ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item ->issuedAt($time) // Configures the time that the token was issue (iat claim) ->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim) ->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim) ->withClaim('uid', 1) // Configures a new claim, called "uid" ->getToken($signer, new Key('testing')); // Retrieves the generated token var_dump($token->verify($signer, 'testing 1')); // false, because the key is different var_dump($token->verify($signer, 'testing')); // true, because the key is the same ``` ### RSA and ECDSA [](#rsa-and-ecdsa) RSA and ECDSA signatures are based on public and private keys so you have to generate using the private key and verify using the public key: ``` use Lcobucci\JWT\Builder; use Lcobucci\JWT\Signer\Key; use Lcobucci\JWT\Signer\Rsa\Sha256; // you can use Lcobucci\JWT\Signer\Ecdsa\Sha256 if you're using ECDSA keys $signer = new Sha256(); $privateKey = new Key('file://{path to your private key}'); $time = time(); $token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim) ->permittedFor('http://example.org') // Configures the audience (aud claim) ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item ->issuedAt($time) // Configures the time that the token was issue (iat claim) ->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim) ->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim) ->withClaim('uid', 1) // Configures a new claim, called "uid" ->getToken($signer, $privateKey); // Retrieves the generated token $publicKey = new Key('file://{path to your public key}'); var_dump($token->verify($signer, $publicKey)); // true when the public key was generated by the private one =) ``` **It's important to say that if you're using RSA keys you shouldn't invoke ECDSA signers (and vice-versa), otherwise `sign()` and `verify()` will raise an exception!** jwt === [](#jwt-1) dos-jwt ======= [](#dos-jwt) ### Health Score 23 — LowBetter than 27% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity6 Limited adoption so far Community6 Small or concentrated contributor base Maturity52 Maturing project, gaining track record How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 2 Last Release 1224d ago Major Versions v1.0 → v2.02023-01-04 ### Community Maintainers ![](https://www.gravatar.com/avatar/31aae729251d30d2b983ba93a3f4b3ea7de14f9a38569d72407eef7a7ef86c2a?d=identicon)[weilewantieba](/maintainers/weilewantieba) --- Tags jwtJWS ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/weilewantieba-jwt/health.svg) ``` [![Health](https://phpackages.com/badges/weilewantieba-jwt/health.svg)](https://phpackages.com/packages/weilewantieba-jwt) ``` ### Alternatives [lcobucci/jwt A simple library to work with JSON Web Token and JSON Web Signature 7.5k316.6M895](/packages/lcobucci-jwt)[namshi/jose JSON Object Signing and Encryption library for PHP. 1.8k99.6M101](/packages/namshi-jose)[web-token/jwt-framework JSON Object Signing and Encryption library for PHP and Symfony Bundle. 94518.9M77](/packages/web-token-jwt-framework)[web-token/jwt-library JWT library 2011.2M83](/packages/web-token-jwt-library)[bizley/jwt JWT integration for Yii 2 67425.3k2](/packages/bizley-jwt)[web-token/jwt-bundle JWT Bundle of the JWT Framework. 132.5M7](/packages/web-token-jwt-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)