How does SimpleJWT compare to Laravel Sanctum or Passport for JWT authentication?

SimpleJWT is a low-level library focused on JWT/JWS/JWE generation and validation, while Sanctum and Passport are full-featured auth systems. Use SimpleJWT if you need custom token logic (e.g., multi-recipient JWE) or want to integrate with existing auth systems like Sanctum for user mapping.

What Laravel versions does SimpleJWT support?

SimpleJWT requires PHP 8.0+, but it’s framework-agnostic. It integrates with Laravel via service providers, middleware, or facades, so it works with Laravel 8+ (tested with 8.x, 9.x, and 10.x). Check the [GitHub](https://github.com/kelvinmo/simplejwt) for updates.

Can I use SimpleJWT for OAuth2/OIDC token validation in Laravel?

Yes. SimpleJWT validates JWTs (e.g., `access_token` claims) per RFC7519. Pair it with Laravel’s OAuth2 clients (e.g., Passport) to decode tokens, then manually map claims (e.g., `sub` → `user_id`) to your User model or database.

How do I store and rotate keys securely in production?

Store keys in a secure vault (e.g., AWS KMS, HashiCorp Vault) or encrypted filesystem. For rotation, use a cron job to update the `KeySet` in Redis (cached) or a config file. SimpleJWT supports JWK/PEM formats—avoid hardcoding secrets in code.

Will SimpleJWT work with Laravel’s caching system (Redis) for keys?

Absolutely. Cache `KeySet` instances in Redis using Laravel’s cache driver to avoid repeated file I/O or PEM parsing. Example: `cache()->remember('keyset:active', 3600, fn() => $keySet->loadFromFile('keys.json'))`.

Does SimpleJWT support EdDSA or X25519 for post-quantum security?

Yes, but it requires the `sodium` PHP extension. EdDSA (e.g., Ed25519) and X25519 (ECDH-ES) are supported for signatures and key agreement. Enable sodium in `php.ini` and install via `pecl install sodium`.

How do I revoke tokens in Laravel using SimpleJWT?

SimpleJWT doesn’t track revoked tokens natively. Store token hashes (e.g., `sha256(token)`) in a `jwt_blacklist` table, then validate against this list in middleware. For short-lived tokens, rely on `exp` claims instead.

What’s the performance impact of RSA-OAEP vs. HMAC (HS256) for signing?

RSA-OAEP is CPU-intensive (~10x slower than HS256) due to asymmetric crypto. Benchmark with `k6` or `ab` under load. For high-throughput APIs, prefer symmetric keys (HS256) unless regulatory compliance demands RSA/ECDSA.

Can I use SimpleJWT for multi-recipient JWE (e.g., encrypted messages for multiple services)?

Yes, SimpleJWT supports multi-recipient JWE via `JWE::encryptForMultipleRecipients()`. Each recipient needs a public key (JWK/PEM). Useful for microservices where a single message must be decrypted by multiple services.

Are there alternatives to SimpleJWT for Laravel JWT auth with less complexity?

For simpler use cases, consider `typhon/jwt-auth` (Laravel-specific) or `firebase/php-jwt` (lightweight). SimpleJWT is ideal if you need advanced features like COSE, PBES2, or multi-recipient JWE, but adds complexity for basic JWT signing.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Simplejwt Laravel Package

kelvinmo/simplejwt

SimpleJWT is a lightweight PHP 8+ library for JWT/JWS/JWE and JWK/COSE keys. Supports HS/RSA/ECDSA/EdDSA signatures, key management (RSA-OAEP, AES-KW, PBES2, ECDH-ES/X25519) and AES-GCM/CBC-HS encryption.

View on GitHub

Deep Wiki

Context7

A simple JSON web token library written in PHP.

Frequently asked questions about Simplejwt

How does SimpleJWT compare to Laravel Sanctum or Passport for JWT authentication?: SimpleJWT is a low-level library focused on JWT/JWS/JWE generation and validation, while Sanctum and Passport are full-featured auth systems. Use SimpleJWT if you need custom token logic (e.g., multi-recipient JWE) or want to integrate with existing auth systems like Sanctum for user mapping.
What Laravel versions does SimpleJWT support?: SimpleJWT requires PHP 8.0+, but it’s framework-agnostic. It integrates with Laravel via service providers, middleware, or facades, so it works with Laravel 8+ (tested with 8.x, 9.x, and 10.x). Check the [GitHub](https://github.com/kelvinmo/simplejwt) for updates.
Can I use SimpleJWT for OAuth2/OIDC token validation in Laravel?: Yes. SimpleJWT validates JWTs (e.g., `access_token` claims) per RFC7519. Pair it with Laravel’s OAuth2 clients (e.g., Passport) to decode tokens, then manually map claims (e.g., `sub` → `user_id`) to your User model or database.
How do I store and rotate keys securely in production?: Store keys in a secure vault (e.g., AWS KMS, HashiCorp Vault) or encrypted filesystem. For rotation, use a cron job to update the `KeySet` in Redis (cached) or a config file. SimpleJWT supports JWK/PEM formats—avoid hardcoding secrets in code.
Will SimpleJWT work with Laravel’s caching system (Redis) for keys?: Absolutely. Cache `KeySet` instances in Redis using Laravel’s cache driver to avoid repeated file I/O or PEM parsing. Example: `cache()->remember('keyset:active', 3600, fn() => $keySet->loadFromFile('keys.json'))`.
Does SimpleJWT support EdDSA or X25519 for post-quantum security?: Yes, but it requires the `sodium` PHP extension. EdDSA (e.g., Ed25519) and X25519 (ECDH-ES) are supported for signatures and key agreement. Enable sodium in `php.ini` and install via `pecl install sodium`.
How do I revoke tokens in Laravel using SimpleJWT?: SimpleJWT doesn’t track revoked tokens natively. Store token hashes (e.g., `sha256(token)`) in a `jwt_blacklist` table, then validate against this list in middleware. For short-lived tokens, rely on `exp` claims instead.
What’s the performance impact of RSA-OAEP vs. HMAC (HS256) for signing?: RSA-OAEP is CPU-intensive (~10x slower than HS256) due to asymmetric crypto. Benchmark with `k6` or `ab` under load. For high-throughput APIs, prefer symmetric keys (HS256) unless regulatory compliance demands RSA/ECDSA.
Can I use SimpleJWT for multi-recipient JWE (e.g., encrypted messages for multiple services)?: Yes, SimpleJWT supports multi-recipient JWE via `JWE::encryptForMultipleRecipients()`. Each recipient needs a public key (JWK/PEM). Useful for microservices where a single message must be decrypted by multiple services.
Are there alternatives to SimpleJWT for Laravel JWT auth with less complexity?: For simpler use cases, consider `typhon/jwt-auth` (Laravel-specific) or `firebase/php-jwt` (lightweight). SimpleJWT is ideal if you need advanced features like COSE, PBES2, or multi-recipient JWE, but adds complexity for basic JWT signing.

Popularity trends

Recorded values over time (once-a-day snapshots). May 8, 2026 – Jun 6, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

Favorites

Forks

Score

26.4

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 70

+0.4
Forks

input: 21

+0.6
Open issues + PRs

input: 0

+0.0
Releases

input: 23

+6.9
Recency

input: 35

+18.1
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 26.0

Opportunity

43.1

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

67.1
Contribution need

open_issues + open_prs: 0

0.0
Health factor

archived + recency + open issues

×0.99

Total 43.0

License

NOASSERTION

Last release

May 1, 2026

Watchers

Downloads

34K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hamzi/corewatch

minionfactory/raw-hydrator

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope