How do I integrate this COSE library into a Laravel application for WebAuthn/FIDO2 authentication?

Install via Composer (`composer require web-auth/cose-lib`) and add `spomky-labs/cbor-php` for COSE tag support. Use the library’s `Signature1`, `Encrypt0`, or `Mac0` classes to generate or verify COSE signatures/encryption, then integrate with Laravel’s request/response handling for WebAuthn challenges and assertions.

Which Laravel versions and PHP versions are officially supported by this package?

This package requires **PHP 8.1+** and is framework-agnostic, meaning it works with any Laravel version supporting PHP 8.1+. No Laravel-specific dependencies exist, but ensure your Laravel app meets PHP 8.1’s requirements for type safety and strict mode.

Does this library support Ethereum’s ES256K algorithm for blockchain-based authentication?

Yes, the **4.5.2+** release fixes an ES256K misidentification bug (critical for Ethereum Keccak256 signatures). If you’re using Ethereum-based keys, upgrade to 4.5.2 and retest your COSE signature validation workflows. Pre-4.5.2 versions may fail validation for ES256K.

How do I verify a COSE_Sign1 signature in Laravel using this package?

Decode the COSE_Sign1 payload with `Decoder::create()` (configured with `CoseSign1Tag`), then use `Signature1::verify()` with your public key. Example: `$signature->verify($protectedHeader, $payload, $publicKey)` returns a boolean. For Laravel, wrap this in a service class to handle request/response cycles.

Are there performance concerns with CBOR parsing in production?

CBOR parsing (via `spomky-labs/cbor-php`) is the primary overhead, but the library is optimized for RFC 9052/9053 compliance. Benchmark your use case—most WebAuthn/FIDO2 workflows handle CBOR efficiently. For high-throughput systems, cache decoded COSE objects if reused.

Can I use this library for encrypting/decrypting messages in Laravel queues or jobs?

Yes, use `CoseEncrypt0` for single-recipient encryption and `CoseEncrypt` for multi-recipient. Store encrypted payloads in queues/jobs, then decrypt using recipient keys. Ensure keys are securely managed (e.g., Laravel’s `encryption` config or Hashicorp Vault).

What alternatives exist for COSE in PHP/Laravel, and why choose this package?

Alternatives include `paragonie/cose` (less maintained) or JavaScript libraries (e.g., `cose-js`) with PHP bridges. This package is **RFC-compliant**, actively maintained by Spomky Labs, and integrates seamlessly with Laravel’s PHP 8.1+ ecosystem. It also fixes niche bugs like ES256K, critical for Ethereum integrations.

How do I test COSE operations in Laravel’s testing environment?

Use Laravel’s `HttpTestResponse` to mock COSE payloads, then assert verification/decryption outcomes. Example: `$response->assertJson(['cose_signature' => $validSignature])`. For unit tests, generate test keys with `openssl` or libraries like `web-token/jwt-framework` and validate against known COSE samples from RFC 9052.

Does this library support MAC (Message Authentication Code) operations for API integrity checks?

Yes, use `CoseMac0` (single MAC) or `CoseMac` (multi-recipient) with HMAC-SHA256/384/512. Generate a MAC with `$mac->compute($payload, $key)`, then verify in Laravel middleware or API gateways. Ideal for securing API requests/responses without encryption.

How do I handle key management for COSE operations in Laravel?

Store private keys in Laravel’s `config/filesystems` (encrypted) or a secrets manager like AWS KMS. For public keys, use Laravel’s `cache` or a dedicated key store. The library itself doesn’t enforce key storage—implement your own `KeyRepository` interface or leverage Laravel’s existing encryption services.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Cose Lib Laravel Package

web-auth/cose-lib

PHP 8.1+ COSE (RFC 9052/9053) library supporting Sign1/Sign, Encrypt0/Encrypt, Mac0/Mac with full tag support. Implements ECDSA, EdDSA, RSA and HMAC algorithms for signing, encryption and MAC; compatible with WebAuthn/FIDO2.

View on GitHub

Deep Wiki

Context7

Cose Key and Algorithms support

Frequently asked questions about Cose Lib

How do I integrate this COSE library into a Laravel application for WebAuthn/FIDO2 authentication?: Install via Composer (`composer require web-auth/cose-lib`) and add `spomky-labs/cbor-php` for COSE tag support. Use the library’s `Signature1`, `Encrypt0`, or `Mac0` classes to generate or verify COSE signatures/encryption, then integrate with Laravel’s request/response handling for WebAuthn challenges and assertions.
Which Laravel versions and PHP versions are officially supported by this package?: This package requires **PHP 8.1+** and is framework-agnostic, meaning it works with any Laravel version supporting PHP 8.1+. No Laravel-specific dependencies exist, but ensure your Laravel app meets PHP 8.1’s requirements for type safety and strict mode.
Does this library support Ethereum’s ES256K algorithm for blockchain-based authentication?: Yes, the **4.5.2+** release fixes an ES256K misidentification bug (critical for Ethereum Keccak256 signatures). If you’re using Ethereum-based keys, upgrade to 4.5.2 and retest your COSE signature validation workflows. Pre-4.5.2 versions may fail validation for ES256K.
How do I verify a COSE_Sign1 signature in Laravel using this package?: Decode the COSE_Sign1 payload with `Decoder::create()` (configured with `CoseSign1Tag`), then use `Signature1::verify()` with your public key. Example: `$signature->verify($protectedHeader, $payload, $publicKey)` returns a boolean. For Laravel, wrap this in a service class to handle request/response cycles.
Are there performance concerns with CBOR parsing in production?: CBOR parsing (via `spomky-labs/cbor-php`) is the primary overhead, but the library is optimized for RFC 9052/9053 compliance. Benchmark your use case—most WebAuthn/FIDO2 workflows handle CBOR efficiently. For high-throughput systems, cache decoded COSE objects if reused.
Can I use this library for encrypting/decrypting messages in Laravel queues or jobs?: Yes, use `CoseEncrypt0` for single-recipient encryption and `CoseEncrypt` for multi-recipient. Store encrypted payloads in queues/jobs, then decrypt using recipient keys. Ensure keys are securely managed (e.g., Laravel’s `encryption` config or Hashicorp Vault).
What alternatives exist for COSE in PHP/Laravel, and why choose this package?: Alternatives include `paragonie/cose` (less maintained) or JavaScript libraries (e.g., `cose-js`) with PHP bridges. This package is **RFC-compliant**, actively maintained by Spomky Labs, and integrates seamlessly with Laravel’s PHP 8.1+ ecosystem. It also fixes niche bugs like ES256K, critical for Ethereum integrations.
How do I test COSE operations in Laravel’s testing environment?: Use Laravel’s `HttpTestResponse` to mock COSE payloads, then assert verification/decryption outcomes. Example: `$response->assertJson(['cose_signature' => $validSignature])`. For unit tests, generate test keys with `openssl` or libraries like `web-token/jwt-framework` and validate against known COSE samples from RFC 9052.
Does this library support MAC (Message Authentication Code) operations for API integrity checks?: Yes, use `CoseMac0` (single MAC) or `CoseMac` (multi-recipient) with HMAC-SHA256/384/512. Generate a MAC with `$mac->compute($payload, $key)`, then verify in Laravel middleware or API gateways. Ideal for securing API requests/responses without encryption.
How do I handle key management for COSE operations in Laravel?: Store private keys in Laravel’s `config/filesystems` (encrypted) or a secrets manager like AWS KMS. For public keys, use Laravel’s `cache` or a dedicated key store. The library itself doesn’t enforce key storage—implement your own `KeyRepository` interface or leverage Laravel’s existing encryption services.

Popularity trends

Recorded values over time (once-a-day snapshots). May 9, 2026 – Jun 7, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

Favorites

Forks

Score

26.4

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 18

+0.1
Forks

input: 10

+0.3
Open issues + PRs

input: 2

+0.2
Releases

input: 24

+7.2
Recency

input: 34

+18.1
Issue opportunity

input: 1

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 25.9

Opportunity

64.2

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

100.0
Contribution need

open_issues + open_prs: 2

0.0
Health factor

archived + recency + open issues

×0.99

Total 64.0

License

MIT

Last release

May 3, 2026

Watchers

Downloads

2M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

elnasnato/laraliveui

labrodev/rest-sdk

sampaui/sampaui

babelqueue/php-sdk

facebook/capi-param-builder-php

babelqueue/symfony

hamzi/corewatch

minionfactory/raw-hydrator

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium