Connect with us


PHP Authorization with JWT (JSON Internet Tokens) – SitePoint

There was a time when the one method to authenticate your self with an utility was by offering your credentials (often a username or e mail handle and a password) and a session was then used to take care of person state till the person logged out. A short time later, we began utilizing authentication APIs. And in but newer occasions, JWTs, or JSON Internet Tokens, have been more and more used as one other method to authenticate requests to a server.

On this article, you’ll be taught what JWTs are and the best way to use them with PHP to make authenticated person requests.

JWTs versus Periods

However first, why are classes not such an excellent factor? Effectively, there are three key causes:

  • Knowledge is saved in plain textual content on the server.
    Despite the fact that the information is often not saved in a public folder, anybody with ample entry to the server can learn the contents of session recordsdata.
  • They contain filesystem learn/write requests.
    Each time a session begins or its information is modified, the server must replace the session file. The identical goes for each time the applying sends a session cookie. If in case you have numerous customers, you possibly can find yourself with a gradual server until you employ different session storage choices, comparable to Memcached and Redis.
  • Distributed/Clustered purposes.
    Since session recordsdata are, by default, saved on the file system, it’s exhausting to have a distributed or clustered infrastructure for prime availability purposes — ones that require using applied sciences comparable to load balancers and clustered servers. Different storage media and particular configurations must be carried out — and be accomplished so in full consciousness of their implications.


Now, let’s begin studying about JWTs. The JSON Internet Token specification (RFC 7519) was first printed on December 28, 2010, and was most just lately up to date in Could 2015.

JWTs have many benefits over API keys, together with:

  • API keys are random strings, whereas JWTs include info and metadata. This info and metadata can describe a variety of issues, comparable to a person’s identification, authorization information, and the validity of the token inside a time-frame or in relation to a website.
  • JWTs don’t require a centralized issuing or revoking authority.
  • JWTs are OAUTH2 appropriate.
  • JWT information will be inspected.
  • JWTs have expiration controls.
  • JWTs are meant for space-constrained environments, comparable to HTTP Authorization headers.
  • Knowledge is transmitted in JavaScript Object Notation format (JSON).
  • JWTs are represented utilizing Base64url encoding

What Does a JWT Look Like?

Here’s a pattern JWT:


At first look, it seems that the string is simply random teams of characters concatenated with a interval or dot character. As such, it might not appear very totally different from an API key. Nevertheless, in case you look extra intently, there are three separate strings.

The primary string is the JWT header. It’s a Base64, URL-encoded JSON string. It specifies which cryptographic algorithm was used to generate the signature, and the token’s kind, which is all the time set to JWT. The algorithm will be both symmetric or uneven.

A symmetric algorithm makes use of a single key to each create and confirm the token. The bottom line is shared between the creator of the JWT and the patron of it. It’s important that you just make certain solely the creator and shopper is aware of the key. In any other case, anybody can create a legitimate token.

An uneven algorithm makes use of a non-public key to signal the token and a public key to confirm it. These algorithms ought to be used when a shared secret is impractical or different events solely have to confirm the integrity of the token.

The JWT’s Payload

The second string is the JWT’s payload. It’s additionally a Base64, URL-encoded JSON string. It incorporates some commonplace fields, that are known as “claims”. There are three sorts of claims: registered, public, and non-public.

Registered claims are predefined. You could find an inventory of them in the JWT’s RFC. Listed here are some generally used ones:

  • iat: the timestamp of token issuing.
  • key: a novel string, which could possibly be used to validate a token, however goes in opposition to not having a centralized issuer authority.
  • iss: a string containing the identify or identifier of the issuer. Could be a area identify and can be utilized to discard tokens from different purposes.
  • nbf: a timestamp of when the token ought to begin being thought-about legitimate. Needs to be equal to or larger than iat.
  • exp: a timestamp of when the token ought to stop to be legitimate. Needs to be larger than iat and nbf.

Public claims will be outlined as you see match. Nevertheless, they will’t be the identical as registered claims, or claims of already current public claims. You possibly can create non-public claims at will. They’re just for use between two events: a producer and a shopper.

The JWT’s Signature

The JWT’s signature is a cryptographic mechanism designed to safe the JWT’s information with a digital signature distinctive to the contents of the token. The signature ensures the JWT’s integrity so that buyers can confirm it hasn’t been tampered with by a malicious actor.

The JWT’s signature is a mix of three issues:

  • the JWT’s header
  • the JWT’s payload
  • a secret worth

These three are digitally signed (not encrypted) utilizing the algorithm specified within the JWT’s header. If we decode the instance above, we’ll have the next JSON strings:

The JWT’s Header

    "alg": "HS256",
    "typ": "JWT"

The JWT’s Knowledge

    "iat": 1416929109,
    "jti": "aa7f8d0a95c",
    "scopes": [

Check out for your self, the place you possibly can mess around with encoding and decoding your personal JWTs.

Let’s Use JWTs in a PHP-based Utility

Now that you just’ve realized what JWTs are, it’s now time to learn to use them in a PHP app. Earlier than we dive in, be happy to clone the code for this text, or observe alongside and create it as we go.

There are a lot of methods that you would be able to strategy integrating JWTs, however right here’s how we’re going to do it.

All requests to the applying, aside from the login and logout web page, have to be authenticated through a JWT. If a person makes a request with out a JWT, they’ll be redirected to the login web page.

After a person fills out and submits the login kind, the shape can be submitted through JavaScript to the login endpoint, authenticate.php, in our utility. The endpoint will then extract the credentials (a username and password) from the request and test in the event that they’re legitimate.

If they’re, it can generate a JWT and ship it again to the consumer. When the consumer receives a JWT, it can retailer it and use it with each future request to the applying.

For a simplistic situation, there’ll solely be one useful resource the person can request — a PHP file aptly named useful resource.php. It gained’t do a lot, simply returning a string, containing the present timestamp on the time of the request.

There’s couple of the way to make use of JWTs when making requests. In our utility, the JWT can be despatched in the Bearer authorization header.

For those who’re not aware of Bearer Authorization, it’s a type of HTTP authentication, the place a token (comparable to a JWT) is distributed in a request header. The server can examine the token and decide if entry ought to be given to the “bearer” of the token.

Right here’s an instance of the header:

Authorization: Bearer ab0dde18155a43ee83edba4a4542b973

For every request acquired by our utility, PHP will try to extract the token from the Bearer header. If it’s current, it’s then validated. If it’s legitimate, the person will see the traditional response for that request. If the JWT is invalid, nonetheless, the person gained’t be allowed to entry the useful resource.

Please be aware that JWT was not designed to substitute session cookies.


To start with, we have to have PHP and Composer put in on our methods.

Within the challenge’s root, run composer set up. This can pull in Firebase PHP-JWT, a third-party library that simplifies working with JWTs, in addition to laminas-config, designed to simplify entry to configuration information inside purposes

The Login Type

With the library put in, let’s step by means of the login code in authenticate.php. We first do the same old setup, guaranteeing that the Composer-generated autoloader is accessible.



use FirebaseJWTJWT;


After receiving the shape submission, the credentials are validated in opposition to a database, or another information retailer. For the needs of this instance, we’ll assume that they’re legitimate, and set $hasValidCredentials to true.


if ($hasValidCredentials) {

Subsequent, we initialize a set of variables for use for producing the JWT. Please keep in mind that since a JWT will be inspected client-side, don’t embrace any delicate info in it.

One other factor value stating, once more, is that $secretKey wouldn’t be initialized like this. You’d probably set it within the atmosphere and extract it, utilizing library comparable to phpdotenv, or in a config file. I’ve averted doing that on this instance, as I wish to deal with the JWT code.

By no means disclose it or retailer it below model management!

$secretKey  = 'bGS6lzFqvvSQ8ALbOxatm7/Vk7mLQyzqaS34Q4oR1ew=';
$issuedAt   = new DateTimeImmutable();
$expire     = $issuedAt->modify('+6 minutes')->getTimestamp();      
$serverName = "your.area.identify";
$username   = "username";                                           

$information = [
    'iat'  => $issuedAt,         
    'iss'  => $serverName,       
    'nbf'  => $issuedAt,         
    'exp'  => $expire,           
    'userName' => $username,     

With the payload information able to go, we subsequent use php-jwt’s static encode technique to create the JWT.

The strategy:

  • transforms the array to JSON
  • produce the headers
  • indicators the payload
  • encodes the ultimate string

It takes three parameters:

  • the payload info
  • the key key
  • the algorithm to make use of to signal the token

By calling echo on the results of the operate, the generated token is returned:

    echo JWT::encode(

Consuming the JWT

Retrieving a resource using JavaScript and JWTs

Now that the consumer has the token, you possibly can retailer it utilizing JavaScript or whichever mechanism you like. Right here’s an instance of how to take action utilizing vanilla JavaScript. In index.html, after a profitable kind submission, the returned JWT is saved in reminiscence, the login kind is hidden, and the button to request the timestamp is displayed:

const retailer = {};
const loginButton = doc.querySelector('#frmLogin');
const btnGetResource = doc.querySelector('#btnGetResource');
const kind = doc.varieties[0];

retailer.setJWT = operate (information) {
  this.JWT = information;

loginButton.addEventListener('submit', async (e) => {

  const res = await fetch('/authenticate.php', {
    technique: 'POST',
    headers: {
      'Content material-type': 'utility/x-www-form-urlencoded; charset=UTF-8'
    physique: JSON.stringify({
      username: kind.inputEmail.worth,
      password: kind.inputPassword.worth

  if (res.standing >= 200 && res.standing <= 299) {
    const jwt = await res.textual content();
    retailer.setJWT(jwt); = 'none'; = 'block';
  } else {
    console.log(res.standing, res.statusText);

Utilizing the JWT

When clicking on the “Get present timestamp” button, a GET request is made to useful resource.php, which units the JWT acquired after authentication within the Authorization header.

btnGetResource.addEventListener('click on', async (e) => {
  const res = await fetch('/useful resource.php', {
    headers: {
      'Authorization': `Bearer ${retailer.JWT}`
  const timeStamp = await res.textual content();

Once we click on the button, a request much like the next is made:

GET /useful resource.php HTTP/1.1
Connection: keep-alive
Settle for: */*
X-Requested-With: XMLHttpRequest
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE0MjU1ODg4MjEsImp0aSI6IjU0ZjhjMjU1NWQyMjMiLCJpc3MiOiJzcC1qd3Qtc2ltcGxlLXRlY25vbTFrMy5jOS5pbyIsIm5iZiI6MTQyNTU4ODgyMSwiZXhwIjoxNDI1NTkyNDIxLCJkYXRhIjp7InVzZXJJZCI6IjEiLCJ1c2VyTmFtZSI6ImFkbWluIn19.HVYBe9xvPD8qt0wh7rXI8bmRJsQavJ8Qs29yfVbY-A0

Assuming that the JWT is legitimate, we’d see the useful resource, after which the response is written to the console.

Validating the JWT

Lastly, let’s have a look at how we are able to validate the token in PHP. As all the time, we’d embrace Composer’s autoloader. We might then, optionally, test if the right request technique’s been used. I’ve omitted the code to try this, to proceed specializing in the JWT-specific code:



Then, the code would try to extract the token from the Bearer header. I’ve accomplished so utilizing preg_match. For those who’re not aware of the operate, it performs an everyday expression match on a string

The common expression that I’ve used right here will try to extract the token from the Bearer header, and dump every little thing else. If it’s not discovered, an HTTP 400 Dangerous Request is returned:

if (! preg_match('/Bearers(S+)/', $_SERVER['HTTP_AUTHORIZATION'], $matches)) {
    header('HTTP/1.0 400 Dangerous Request');
    echo 'Token not present in request';

Be aware that, by default, Apache won’t cross the HTTP_AUTHORIZATION header to PHP. The rationale behind that is:

The fundamental authorization header is just safe in case your connection is completed over HTTPS, since in any other case the credentials are despatched in encoded plain textual content (not encrypted) over the community which is a big safety subject.

I totally recognize the logic of this determination. Nevertheless, to keep away from numerous confusion, add the next to your Apache configuration. Then the code will operate as anticipated. For those who’re utilizing NGINX, the code ought to operate as anticipated:

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Subsequent, we try to extract the matched JWT, which might be within the second component of the $matches variable. If it’s not accessible, then no JWT was extracted, and an HTTP 400 Dangerous Request is returned:

$jwt = $matches[1];
if (! $jwt) {
    header('HTTP/1.0 400 Dangerous Request');

If we get so far, a JWT was extracted, so we transfer to the decoding and validation stage. To do this, we’d like our secret key once more, which might be pulled from the atmosphere or the applying’s configuration. We then use php-jwt’s static decode technique, passing to it the JWT, the key key, and an array of algorithms to make use of to decode the JWT.

If it’s in a position to be efficiently decoded, we then try to validate it. The instance I’ve right here is kind of simplistic, because it solely makes use of the issuer, not earlier than and expiry timestamps. In an actual utility, you’d probably use quite a lot of different claims as properly.

$secretKey  = 'bGS6lzFqvvSQ8ALbOxatm7/Vk7mLQyzqaS34Q4oR1ew=';
$token = JWT::decode($jwt, $secretKey, ['HS512']);
$now = new DateTimeImmutable();
$serverName = "your.area.identify";

if ($token->iss !== $serverName ||
    $token->nbf > $now->getTimestamp() ||
    $token->exp < $now->getTimestamp())
    header('HTTP/1.1 401 Unauthorized');

If the token isn’t legitimate as a result of, for instance, the token has expired, the person can be despatched an HTTP 401 Unauthorized header, and the script will exit.

If the method to decode the JWT fails, it could possibly be that:

  • The variety of segments offered didn’t match the usual three as described earlier.
  • The header or the payload will not be a legitimate JSON string
  • The signature is invalid, which implies the information was tampered with!
  • The nbf declare is about within the JWT with a timestamp when the present timestamp is lower than that.
  • The iat declare is about within the JWT with a timestamp when the present timestamp is lower than that.
  • The exp declare is about within the JWT with a timestamp when the present timestamp is greater than that.

As you possibly can see, JWT has a pleasant set of controls that can mark it as invalid, with out the necessity to manually revoke it or test it in opposition to an inventory of legitimate tokens.

If the decode and validation course of succeeds, the person can be allowed to make the request, and can be despatched the suitable response.

In Conclusion

That’s a fast introduction to JSON Internet Tokens, or JWTs, and the best way to use them in PHP-based purposes. From right here on, you possibly can attempt to implement JWTs in your subsequent API, perhaps attempting another signing algorithms that use uneven keys like RS256, or integrating it in an current OAUTH2 authentication server to be the API key.

If in case you have any feedback or questions, be happy to get in contact on Twitter.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *