Download the PHP package nowakowskir/php-jwt without Composer

On this page you can find all versions of the php package nowakowskir/php-jwt. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package php-jwt

JSON Web Tokens (JWT) implementation for PHP 7

JWT

Read more about JWT here:

License

Please check BSD-3 Clause terms before use.

Supported algorithms

Installation

You can add this package to your project by running composer command:

Make sure your vendor auto load file is loaded correctly and the following classes are used.

Elements

When using this package, you will be mostly using two classes: and .

You can transform objects of those class like below:

TokenDecoded

This class is a representation of a decoded token. It consists of a header and payload. Both elements are arrays.

Token represented by an object of class lets you access and modify any of its parts.

TokenEncoded

This class is a representation of an encoded token.

Usage

Building the new JWT

There are two arguments you can optionally pass to constructor. These are payload and header.

Please check Security best practices section to understand why providing algorithm is mandatory when encoding a token!

Instantiating existing token

Getting token's header

Getting token's payload

Please note that providing a key is not required to decode a token, as its header and payload are public. You should put special attention to not pass any confidential information within the token's header and payload. JWT only allows you to verify if the token containing the given payload was issued by a trusted party. It does not protect your data passed in a payload! Be aware anybody can access your token's payload!

Validating token

In order to use a decoded payload make sure your token goes through validate process first. Otherwise, payload can't be assumed as trusted!

Please check the the Security best practices section to understand why providing an algorithm is mandatory when validating a token!

If you need more detailed information about why your validation process has failed, there are several exception classes you can catch:

Exception Class Description
Nowakowskir\JWT\Exceptions\IntegrityViolationException Token is not trusted. Either an invalid key was provided or a token was tampered.
Nowakowskir\JWT\Exceptions\AlgorithmMismatchException If the algorithm you decided to use to validate the token is different from the algorithm specified in the token's header.
Nowakowskir\JWT\Exceptions\TokenExpiredException Token has expired (if was set by issuer).
Nowakowskir\JWT\Exceptions\TokenInactiveException Token is not yet active (if was set by issuer).

Building the new JWT with expiration date (exp)

If you want your token to expire at some date, you can use flag.

Building the new JWT with not before date (nbf)

If you want your token to be not active until reach some date, you can use flag.

Solving clock difference issue between servers (exp, nbf)

Because the clock may vary across the servers, you can use so-called leeway to solve this issue. It's some kind of time margin which will be taken into account when validating token (exp, nbf).

Security best practices

Don't pass confidential data in token's payload

Please note that providing a key is not required to decode a token, as its header and payload are public. You should put special attention to not pass any confidential information within the token's header and payload. JWT only allows you to verify if the token containing the given payload was issued by a trusted party. It does not protect your data passed in a payload! Be aware anybody can access your token's payload!

Don't trust your payload until you validate a token

The only way to ensure the token is valid is to use method. Please keep in mind that method decodes a token only. It gives you access to its payload without any validation!

The reason why it allows you to get the token's payload without any validation is that:

Enforce algorithm when encoding and validating token

As in some circumstances, the algorithm defined in token's header may be modified by an attacker, it's highly recommended to not rely on the algorithm contained in token's header.

Due to security reasons you should choose one algorithm whenever possible and stick to it in both issuer and verifier applications.

To increase your tokens' security, this package requires an algorithm to be provided when encoding and validating tokens.

Below you can find correct way of encoding and decoding tokens:

As you can see, both use the same algorithm.

This package throws if the algorithm you decided to use to validate the token is different from the algorithm specified in the token's header.

This protects your token against successful validation in case the token has been tampered.

You may be tempted to do some workaround and use the algorithm contained in the token's header for validation purposes, although it's highly not recommended!

Using insecure tokens

Creating insecure tokens is not possible due to security reasons.

This package does not let you create a token with algorithm or empty signature.

Trying to do so will result in exception.

It's also not possible to parse token without an algorithm defined.

Generate a strong private key

First, you need to generate a private key.

Next, you need to generate a public key based on the private key.

Rotate your public/private key pair regularly

To minimize the risk of gaining your public/private key by an unauthorized entity, rotate it regularly.

Protect your private key

Make sure your private key is secured and not accessible by any unauthorized entities. Special care should be taken to file permissions. In most cases, you should set permissions on your private key file, which means it's accessible only by the file's owner.

Protect your public key

Even if it's called public, try to share this key only when it's really required. Also, file permissions should be as restrictive as possible. Do not pass public keys between requests or expose them to the public audience.

Don't pass tokens in URL

They will be stored in server logs, browser history, etc.

Use token's expiration date

Whenever possible, use the token's expiration date, so the token is valid as short as necessary.

Check for updates

Regularly check for updates of this package.


All versions of php-jwt with dependencies

PHP Build Version
Package Version
Requires php Version >=7.2.1
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package nowakowskir/php-jwt contains the following files

Loading the files please wait ....