Php Jwt Laravel Package

7.0.5 (2026-03-31)

Bug Fixes

• RSA from JWK sometimes returns empty Instance (#628) (b4c78aa)

7.0.4 (2026-03-27)

Bug Fixes

• readme examples, add tests for all examples (#626) (510a00c)
• use urlsafeB64Decode everywhere (#627) (b889495)

7.0.3 (2026-02-18)

Miscellaneous Chores

• add environment for Release Please job (#619) (300fd02)

7.0.2 (2025-12-16)

Bug Fixes

• add key length validation for ec keys (#615) (7044f9a)

Bug Fixes

• remove resource support (#612)

7.0.0 (2025-12-15)

⚠️ ⚠️ ⚠️ Security Fixes ⚠️ ⚠️ ⚠️

• add key size validation (#613) (6b80341) NOTE: This fix will cause keys with a size below the minimally allowed size to break.

Features

• add SensitiveParameter attribute to security-critical parameters (#603) (4dbfac0)
• store timestamp in ExpiredException (#604) (f174826)

Bug Fixes

• validate iat and nbf on payload (#568) (953b2c8)

6.11.1 (2025-04-09)

Bug Fixes

• update error text for consistency (#528) (c11113a)

6.11.0 (2025-01-23)

Features

• support octet typed JWK (#587) (7cb8a26)

Bug Fixes

• refactor constructor Key to use PHP 8.0 syntax (#577) (29fa2ce)

6.10.2 (2024-11-24)

Bug Fixes

• Mitigate PHP8.4 deprecation warnings (#570) (76808fa)
• support php 8.4 (#583) (e3d68b0)

6.10.1 (2024-05-18)

Bug Fixes

• ensure ratelimit expiry is set every time (#556) (09cb208)
• ratelimit cache expiration (#550) (dda7250)

6.10.0 (2023-11-28)

Features

• allow typ header override (#546) (79cb30b)

6.9.0 (2023-10-04)

Features

• add payload to jwt exception (#521) (175edf9)

6.8.1 (2023-07-14)

Bug Fixes

• accept float claims but round down to ignore them (#492) (3936842)
• different BeforeValidException messages for nbf and iat (#526) (0a53cf2)

6.8.0 (2023-06-14)

Features

• add support for P-384 curve (#515) (5de4323)

Bug Fixes

• handle invalid http responses (#508) (91c39c7)

6.7.0 (2023-06-14)

Features

• add ed25519 support to JWK (public keys) (#452) (e53979a)

6.6.0 (2023-06-13)

Features

• allow get headers when decoding token (#442) (fb85f47)

Bug Fixes

• only check iat if nbf is not used (#493) (398ccd2)

6.5.0 (2023-05-12)

Bug Fixes

• allow KID of '0' (#505) (9dc46a9)

Miscellaneous Chores

• drop support for PHP 7.3 (#495)

6.4.0 (2023-02-08)

Features

• add support for W3C ES256K (#462) (213924f)
• improve caching by only decoding jwks when necessary (#486) (78d3ed1)

6.3.2 (2022-11-01)

Bug Fixes

• check kid before using as array index (bad1b04)

6.3.1 (2022-11-01)

Bug Fixes

• casing of GET for PSR compat (#451) (60b52b7)
• string interpolation format for php 8.2 (#446) (2e07d8a)

Features

• Added ES256 support to JWK parsing (#399)

Bug Fixes

• Fixed potential caching error in CachedKeySet by caching jwks as strings (#435)

Features

1. Added Cached Key Sets (#397)!! See the README for usage instructions

2. Added $defaultAlg parameter to JWT::parseKey and JWT::parseKeySet (#426). This will allow users to parse JWKS which do not populate the alg parameter without having to manually edit the JSON.

Bug Fix

• revert the flag to json_decode to force object (https://github.com/firebase/php-jwt/pull/420)

Note: This fixes the PHP Fatal error the previous version tried to fix, but does so in a safer way.

Bug Fixes

Add flag to json_decode to force object (#416)

Note: This technically breaks backwards compatibility, but it fixes a PHP Fatal error in the current release on JWT::decode which also broke backwards compatibility, so we hope it's justified 🤞

Note: There should be no issues with backwards compatibility unless types were being used incorrectly

• This version is compatible with PHP >= 7.1
• Drop support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0
• Add parameter typing and return types
• Better PHPDoc / IDE support

Note: This version is compatible with PHP >= 5.3

Backwards Compatibility Breaking Changes

• The second argument of JWT::decode now must be Firebase\JWT\Key or array<string, Firebase\JWT\Key> (see #376)
• The return type of Firebase\JWT\JWK::parseKey is now Firebase\JWT\Key (see #392)
• The return type of Firebase\JWT\JWK::parseKeySet is now array<string, Firebase\JWT\Key> (see #376)
• The "alg" parameter is required to be set for all JWKS parsed using Firebase\JWT\JWK::parseKeySet (see #376)
• The flag JSON_UNESCAPED_SLASHES is now used for JSON decoding (see #376)
• Constants ASN1_INTEGER, ASN1_SEQUENCE, and ASN1_BIT_STRING have been removed (see #376)
• JWT::encode requires third argument $alg (see #377)
• JWT::sign requires third argument $alg (see #377)

Using Firebase\JWT\Key

Using the Key object in JWT::decode

As a security fix, to avoid key type confusion (see #351), use of Firebase\JWT\Key is now required when decoding:

use Firebase\JWT\JWT;

// previous (v5.5.1 and below)
$decoded = JWT::decode($jwt, $publicKey, 'RS256');

// new (v6.0.0)
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));

And when you have more than one key, the second argument can be an array of Key objects:

use Firebase\JWT\JWT;

// previous (v5.5.1 and below)
$decoded = JWT::decode($jwt, [$publicKey1, $publicKey2], 'RS256');

// new (v6.0.0)
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, [
    'kid1' => new Key($publicKey1, 'RS256'),
    'kid2' => new Key($publicKey2, 'RS256')
]);  

Note: When providing multiple keys, you must provide the matching $kid as the fourth parameter to the JWT::encode function

Using the Key object in JWK::parseKey and JWK::parseKeySet

Calls to JWK::parseKey and JWK::parseKeySet now return a Key object and an array of Key objects respectively.

use Firebase\JWT\JWK;

// previous (v5.5.1 and below)
$key = JWK::parseKey($jwk); // $key is a resource
$keys = JWK::parseKeySet($jwks); // $keys is an associative array key ID to resources

// new (v6.0.0)
$key = JWK::parseKey($jwk); // $key is a Key object
$keys = JWK::parseKeySet($jwks); // $keys is an associative array of key ID to Key objects

If the keys in your JWKS do not contain the "alg", you need to set it manually to the expected algorithm, for it to be able to parse successfully:

// new (v6.0.0) for JWKS which do not contain "alg"
foreach ($jwks as $k => $jwks) {
    $jwks[$k]['alg'] = 'RS256'; // the expected alg of your JWKS
}
$keys = JWK::parseKeySet($jwks); // $keys is an associative array of key ID to Key objects

Bug Fixes

This release fixes BC issues caused by the changes in 5.5.0:

• Updates PHPDoc for static analyzers (#371)
• Ensures exceptions are not thrown for keys of type resource or OpenSSLAsymmetricKey (#371)

!!IMPORTANT!!

The recommended usage of this library has changed. A Key object should now be used as the second argument to JWT::decode instead of using the allowed_algs array. This will prevent key/algorithm type confusion:

// Previous way to call "decode"
Firebase\JWT\JWT::decode($jwt, $publicKey, ['RS256']);

// New (safer) way to call "decode"
$key = new Firebase\JWT\Key($publicKey, 'RS256');
Firebase\JWT\JWT::decode($jwt, $key);

Please see #351 for more information on the issue, and #365 for the merged changes. The README has also been updated to reflect the new usage.

Features

• add Ed25519 support to JWT (#343)
• make JWK::parseKey public (#337)

Bug Fixes

• export-ignore github dir (#338)

Features

• add ES384 support (#324)

Bug Fixes

• allow for null d values in RSA JWK (#330)

Bug Fixes

• fix: add missing use statement in JWK (#303)

Features

• JWK support (#273)

Bug Fixes

• Backslashes for native function invocations (#284)