How do I install firebase/php-jwt in a Laravel project?

Run `composer require firebase/php-jwt` in your Laravel project directory. For EdDSA support (e.g., Ed25519), also install `paragonie/sodium_compat` via Composer if your PHP environment lacks native libsodium. No additional Laravel-specific setup is required.

Which Laravel versions does firebase/php-jwt support?

The package works with Laravel 5.5+ and PHP 7.4+. For Laravel 10+, ensure PHP 8.1+ is used. Test edge cases (e.g., expired tokens) in CI/CD, especially if using older Laravel versions with PHP 7.4.

Can I use firebase/php-jwt with Laravel Sanctum or Passport?

Yes. Use it to validate JWTs in Sanctum (SPAs) or Passport (OAuth2) APIs. Replace or extend Laravel’s built-in auth with custom middleware or guards. For example, validate tokens in Sanctum’s `auth` middleware or Passport’s `validateToken` hook.

What signing algorithms are recommended for production?

For production, use asymmetric algorithms like **RS256** (RSA) or **ES256** (ECDSA) to avoid hardcoded secrets. Avoid **HS256** unless keys are securely managed (e.g., AWS KMS). EdDSA (Ed25519) is also secure but requires libsodium or `sodium_compat`.

How do I handle key rotation in Laravel with this package?

Use the `CachedKeySet` class to manage dynamic key rotation. Store keys in Laravel’s `config` or a secure vault (e.g., HashiCorp Vault). For revocation, pair short-lived tokens (e.g., 15-minute expiry) with a Redis blacklist or database flag.

Why am I getting a 'SignatureInvalidException' when decoding JWTs?

This typically means the token was signed with a different key or algorithm than expected. Verify the `Key` object’s algorithm matches the token’s header (e.g., `new Key($secret, 'HS256')`). Check for clock skew by setting `JWT::$leeway = 60` (seconds) if servers have time mismatches.

How do I decode JWT payloads into Eloquent models in Laravel?

Decode the JWT with `JWT::decode()`, then map claims (e.g., `sub` for user ID) to Eloquent models. Example: `$user = User::find((array) $decoded->sub)`. For nested claims, cast the decoded object to an array: `$payload = (array) $decoded`.

Is firebase/php-jwt compatible with Laravel’s built-in JWT auth (e.g., tymon/jwt-auth)?

No direct compatibility, but you can replace `tymon/jwt-auth` with this package for more control. Use Laravel middleware to validate tokens (e.g., `ValidateJWT`) or extend Laravel’s `AuthGuard` to use `firebase/php-jwt` for encoding/decoding.

How do I set up EdDSA (Ed25519) signing in Laravel?

First, install `paragonie/sodium_compat` via Composer. Then encode/decode with the `EdDSA` algorithm: `$jwt = JWT::encode($payload, $key, 'EdDSA')`. Ensure your PHP environment has the `sodium` extension or the compatibility layer.

What are the performance implications of using firebase/php-jwt in high-traffic APIs?

The package is optimized for low latency, but asymmetric algorithms (e.g., RS256) add slight overhead compared to symmetric (HS256). For high throughput (e.g., 10K+ RPS), use `CachedKeySet` to reduce key validation latency and monitor token decode failures for anomalies.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Php Jwt Laravel Package

firebase/php-jwt

Encode and decode JSON Web Tokens (JWT) in PHP (RFC 7519). Supports common signing algorithms, header handling, and clock-skew leeway. Simple API with JWT::encode() and JWT::decode() plus Key objects for verification.

View on GitHub

Deep Wiki

Context7

PHP package for JWT

Frequently asked questions about Php Jwt

How do I install firebase/php-jwt in a Laravel project?: Run `composer require firebase/php-jwt` in your Laravel project directory. For EdDSA support (e.g., Ed25519), also install `paragonie/sodium_compat` via Composer if your PHP environment lacks native libsodium. No additional Laravel-specific setup is required.
Which Laravel versions does firebase/php-jwt support?: The package works with Laravel 5.5+ and PHP 7.4+. For Laravel 10+, ensure PHP 8.1+ is used. Test edge cases (e.g., expired tokens) in CI/CD, especially if using older Laravel versions with PHP 7.4.
Can I use firebase/php-jwt with Laravel Sanctum or Passport?: Yes. Use it to validate JWTs in Sanctum (SPAs) or Passport (OAuth2) APIs. Replace or extend Laravel’s built-in auth with custom middleware or guards. For example, validate tokens in Sanctum’s `auth` middleware or Passport’s `validateToken` hook.
What signing algorithms are recommended for production?: For production, use asymmetric algorithms like **RS256** (RSA) or **ES256** (ECDSA) to avoid hardcoded secrets. Avoid **HS256** unless keys are securely managed (e.g., AWS KMS). EdDSA (Ed25519) is also secure but requires libsodium or `sodium_compat`.
How do I handle key rotation in Laravel with this package?: Use the `CachedKeySet` class to manage dynamic key rotation. Store keys in Laravel’s `config` or a secure vault (e.g., HashiCorp Vault). For revocation, pair short-lived tokens (e.g., 15-minute expiry) with a Redis blacklist or database flag.
Why am I getting a 'SignatureInvalidException' when decoding JWTs?: This typically means the token was signed with a different key or algorithm than expected. Verify the `Key` object’s algorithm matches the token’s header (e.g., `new Key($secret, 'HS256')`). Check for clock skew by setting `JWT::$leeway = 60` (seconds) if servers have time mismatches.
How do I decode JWT payloads into Eloquent models in Laravel?: Decode the JWT with `JWT::decode()`, then map claims (e.g., `sub` for user ID) to Eloquent models. Example: `$user = User::find((array) $decoded->sub)`. For nested claims, cast the decoded object to an array: `$payload = (array) $decoded`.
Is firebase/php-jwt compatible with Laravel’s built-in JWT auth (e.g., tymon/jwt-auth)?: No direct compatibility, but you can replace `tymon/jwt-auth` with this package for more control. Use Laravel middleware to validate tokens (e.g., `ValidateJWT`) or extend Laravel’s `AuthGuard` to use `firebase/php-jwt` for encoding/decoding.
How do I set up EdDSA (Ed25519) signing in Laravel?: First, install `paragonie/sodium_compat` via Composer. Then encode/decode with the `EdDSA` algorithm: `$jwt = JWT::encode($payload, $key, 'EdDSA')`. Ensure your PHP environment has the `sodium` extension or the compatibility layer.
What are the performance implications of using firebase/php-jwt in high-traffic APIs?: The package is optimized for low latency, but asymmetric algorithms (e.g., RS256) add slight overhead compared to symmetric (HS256). For high throughput (e.g., 10K+ RPS), use `CachedKeySet` to reduce key validation latency and monitor token decode failures for anomalies.

Popularity trends

Recorded values over time (once-a-day snapshots). May 7, 2026 – Jun 5, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

9,805

Favorites

10,038

Forks

1,277

Score

69.4

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 9805

+25.0
Forks

input: 1277

+15.0
Open issues + PRs

input: 14

+1.4
Releases

input: 32

+9.6
Recency

input: 65

+16.4
Issue opportunity

input: 8

+1.4
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 68.9

Opportunity

52.6

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

75.3
Contribution need

open_issues + open_prs: 14

15.4
Health factor

archived + recency + open issues

×0.97

Total 52.4

License

BSD-3-Clause

Last release

Apr 1, 2026

Watchers

222

Downloads

10M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai