How do I install firebase/php-jwt in a Laravel project?

Run `composer require firebase/php-jwt` to install the package. For environments without libsodium, add `paragonie/sodium_compat` via `composer require paragonie/sodium_compat`. No Laravel-specific setup is needed beyond Composer.

Which Laravel versions does firebase/php-jwt support?

The package works with Laravel 5.5+ and PHP 7.2+. For Laravel 10.x, it’s fully compatible with PHP 8.1+. Check the [GitHub actions](https://github.com/firebase/php-jwt/actions) for the latest test coverage.

Can I use firebase/php-jwt with Laravel Sanctum or Passport?

Yes. While Sanctum/Passport handle session-based auth, you can use firebase/php-jwt for stateless JWT validation in middleware or API gateways. Combine them by validating tokens in a custom middleware before Sanctum/Passport checks.

How do I enforce strict JWT algorithm validation (e.g., reject 'none')?

Use `new Key($key, 'HS256')` (or your preferred algorithm) during decode. To block weak algorithms globally, wrap `JWT::decode()` in middleware and throw an exception if the `alg` claim doesn’t match your allowed list.

What’s the best way to handle key rotation for RS256 tokens?

Use `CachedKeySet` with a short TTL (e.g., 5 minutes) to cache JWKS from a public endpoint. Invalidate the cache via webhooks when keys rotate. Store private keys securely in AWS KMS, HashiCorp Vault, or Laravel’s encrypted env files.

How do I integrate firebase/php-jwt with Laravel’s auth system?

Decode the JWT in middleware, then set the user via `auth()->setUser($decoded)`. Example: `auth()->loginUsingId($decoded->sub)` if your payload includes a user ID. This bridges JWT validation with Laravel’s auth contracts.

What’s the performance impact of RS256 vs. HS256 in Laravel?

HS256 is significantly faster (~10x) than RS256 due to symmetric key operations. For high-throughput APIs, use HS256 with a strong secret. Reserve RS256 for public-key scenarios where security outweighs performance.

Can I customize JWT headers (e.g., add 'kid' for key identification)?

Yes. Pass a `stdClass` as the third argument to `JWT::encode()` to set custom headers like `kid` or `alg`. Example: `$jwt = JWT::encode($payload, $key, 'HS256', $headers, ['kid' => 'primary-key']);`

How do I handle clock skew for `iat`, `nbf`, or `exp` claims?

Set a leeway in seconds via `JWT::$leeway = 60;` before decoding. This accounts for minor time differences between servers. Avoid excessive leeway (>5 minutes) to prevent replay attacks.

Are there alternatives to firebase/php-jwt for Laravel JWT auth?

Yes. For Laravel, consider `typhon/jwt-auth` (Laravel-specific) or `webtoken/jwt-framework` (PHP-focused). firebase/php-jwt is lighter and RFC-compliant but lacks Laravel’s built-in auth integration. Choose based on whether you need middleware hooks or JWKS caching.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Php Jwt Laravel Package

firebase/php-jwt

Encode and decode JSON Web Tokens (JWT) in PHP per RFC 7519. Supports common signing algorithms, key handling, and optional leeway for clock skew. Install via Composer; libsodium compatible via sodium_compat.

View on GitHub

Deep Wiki

Context7

firebase/php-jwt is a lightweight PHP library for encoding and decoding JSON Web Tokens (JWT) in compliance with RFC 7519. It provides a straightforward API to sign tokens and verify them using explicitly allowed algorithms, helping you implement secure authentication and authorization flows.

Designed to be simple and dependency-friendly, it supports modern crypto setups (with optional libsodium via paragonie/sodium_compat) and offers practical controls like clock-skew leeway when validating time-based claims.

JWT::encode() / JWT::decode() for signing and verification
Enforced use of explicit algorithms (e.g., HS256)
Optional access to decoded header values after verification
Supports leeway for iat/nbf/exp clock skew handling
Compatible with libsodium environments via optional polyfill

Frequently asked questions about Php Jwt

How do I install firebase/php-jwt in a Laravel project?: Run `composer require firebase/php-jwt` to install the package. For environments without libsodium, add `paragonie/sodium_compat` via `composer require paragonie/sodium_compat`. No Laravel-specific setup is needed beyond Composer.
Which Laravel versions does firebase/php-jwt support?: The package works with Laravel 5.5+ and PHP 7.2+. For Laravel 10.x, it’s fully compatible with PHP 8.1+. Check the [GitHub actions](https://github.com/firebase/php-jwt/actions) for the latest test coverage.
Can I use firebase/php-jwt with Laravel Sanctum or Passport?: Yes. While Sanctum/Passport handle session-based auth, you can use firebase/php-jwt for stateless JWT validation in middleware or API gateways. Combine them by validating tokens in a custom middleware before Sanctum/Passport checks.
How do I enforce strict JWT algorithm validation (e.g., reject 'none')?: Use `new Key($key, 'HS256')` (or your preferred algorithm) during decode. To block weak algorithms globally, wrap `JWT::decode()` in middleware and throw an exception if the `alg` claim doesn’t match your allowed list.
What’s the best way to handle key rotation for RS256 tokens?: Use `CachedKeySet` with a short TTL (e.g., 5 minutes) to cache JWKS from a public endpoint. Invalidate the cache via webhooks when keys rotate. Store private keys securely in AWS KMS, HashiCorp Vault, or Laravel’s encrypted env files.
How do I integrate firebase/php-jwt with Laravel’s auth system?: Decode the JWT in middleware, then set the user via `auth()->setUser($decoded)`. Example: `auth()->loginUsingId($decoded->sub)` if your payload includes a user ID. This bridges JWT validation with Laravel’s auth contracts.
What’s the performance impact of RS256 vs. HS256 in Laravel?: HS256 is significantly faster (~10x) than RS256 due to symmetric key operations. For high-throughput APIs, use HS256 with a strong secret. Reserve RS256 for public-key scenarios where security outweighs performance.
Can I customize JWT headers (e.g., add 'kid' for key identification)?: Yes. Pass a `stdClass` as the third argument to `JWT::encode()` to set custom headers like `kid` or `alg`. Example: `$jwt = JWT::encode($payload, $key, 'HS256', $headers, ['kid' => 'primary-key']);`
How do I handle clock skew for `iat`, `nbf`, or `exp` claims?: Set a leeway in seconds via `JWT::$leeway = 60;` before decoding. This accounts for minor time differences between servers. Avoid excessive leeway (>5 minutes) to prevent replay attacks.
Are there alternatives to firebase/php-jwt for Laravel JWT auth?: Yes. For Laravel, consider `typhon/jwt-auth` (Laravel-specific) or `webtoken/jwt-framework` (PHP-focused). firebase/php-jwt is lighter and RFC-compliant but lacks Laravel’s built-in auth integration. Choose based on whether you need middleware hooks or JWKS caching.

View on GitHub

Stars

9,784

Favorites

10,020

Forks

1,276

Score

73.0

License

BSD-3-Clause

Last release

Apr 1, 2026

Watchers

223

Downloads

10M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport