How do I integrate this COSE library into a Laravel application for WebAuthn/FIDO2 authentication?

Install via Composer (`composer require web-auth/cose-lib spomky-labs/cbor-php`), then use the `CoseSign1Tag` class to create or verify signatures. For WebAuthn, focus on ES256 (ECDSA) signatures with `CoseSign1Tag::create()` and verify using the decoded payload. Laravel’s middleware can handle the COSE message parsing, while the library abstracts CBOR complexity.

Which Laravel versions and PHP versions are officially supported?

This package requires PHP 8.1+ and is framework-agnostic but fully compatible with Laravel 9+. It leverages strict types and modern PHP features, so ensure your Laravel app meets the PHP 8.1 baseline. No Laravel-specific dependencies exist, making it a drop-in solution for any Laravel 9+ project.

Can I use this library to replace JWT in Laravel for API authentication?

Yes, COSE_Sign1 (tag 18) is ideal for compact, CBOR-based signatures like JWT but with stronger cryptographic guarantees. Replace JWT payloads with COSE messages, using `CoseSign1Tag::create()` for signing and `CoseSign1Tag::verify()` for validation. Store COSE messages in binary fields (e.g., PostgreSQL `bytea`) and decode them with the library’s CBOR decoder.

How do I handle key management for COSE signatures in production?

Use Laravel’s encryption services or integrate with AWS KMS/GCP Cloud KMS for secure key storage. The library supports JWK (JSON Web Key) formats, so you can store private keys in encrypted databases or hardware security modules (HSMs). Always use `kid` (key ID) headers to associate signatures with the correct key pair.

Does this library support asynchronous COSE operations for high-load Laravel queues?

Yes, cryptographic operations like signing/verification can be offloaded to Laravel queues (e.g., Redis or database queues) to avoid blocking I/O-bound requests. Dispatch jobs with `CoseSign1Tag` or `CoseEncrypt0Tag` payloads, then process them in background workers. This is critical for high-volume systems like WebAuthn authentication flows.

Are there alternatives to this library for COSE in PHP, and why should I choose this one?

Alternatives include custom CBOR/COSE implementations or JavaScript libraries like `cose-js`, but this package is the most mature PHP-native solution with full RFC 9052/9053 compliance. It includes strict typing, PHPStan support, and comprehensive test coverage (e.g., EU DCC validation), making it production-ready for Laravel apps requiring WebAuthn, FIDO2, or digital health certificates.

How do I verify a COSE_Sign1 signature in Laravel, and what exceptions should I expect?

Use the `CoseSign1Tag::verify()` method with the decoded COSE message and public key. Handle `CoseException` for malformed messages or `CryptographicException` for verification failures. For Laravel, wrap the verification in a try-catch block and return HTTP 403 (Forbidden) on failure. Example: `try { $coseSign1->verify($publicKey); } catch (CoseException $e) { abort(403); }`

Can I use this library to encrypt data for secure API responses in Laravel?

Yes, use `CoseEncrypt0Tag` for single-recipient encryption or `CoseEncryptTag` for multiple recipients. Encrypt sensitive payloads (e.g., PII) before returning them in API responses. Decrypt on the client side using compatible libraries like `cose-js` for JavaScript or Rust’s `cose` crate. Store encrypted COSE messages in binary fields and decode them with the library’s CBOR decoder.

How does this library handle edge cases like malformed COSE messages or unsupported algorithms?

The library throws `CoseException` for malformed messages and `UnsupportedAlgorithmException` for unsupported algorithms (e.g., legacy RSA variants). Use PHPStan to catch type-related issues early. For Laravel, validate COSE messages in middleware or form requests, returning HTTP 400 (Bad Request) for invalid inputs. The test suite includes edge cases like truncated payloads and invalid signatures.

Is this library suitable for EU Digital COVID Certificate (DCC) validation in Laravel?

Absolutely. The library was tested with EU DCC validation and supports the required algorithms (e.g., ES256 for signatures). Use `CoseSign1Tag::verify()` with the DCC’s public key and validate the payload structure against the EU DCC specification. The library’s CBOR decoder handles the binary COSE messages natively, reducing parsing complexity.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Cose Lib Laravel Package

web-auth/cose-lib

PHP 8.1+ COSE (RFC 9052/9053) library: sign, encrypt, and MAC with full tag support (Sign1/Sign, Encrypt0/Encrypt, Mac0/Mac). Supports ECDSA, EdDSA, RSA, and HMAC. Compatible with WebAuthn/FIDO2.

View on GitHub

Deep Wiki

Context7

web-auth/cose-lib is a modern PHP library implementing CBOR Object Signing and Encryption (COSE) per RFC 9052/9053. It provides building blocks to create and verify COSE messages used in WebAuthn/FIDO2, security tokens, and other CBOR-based ecosystems.

It supports common COSE message types and cryptographic algorithms with strict typing and strong test coverage, making it suitable for production-grade signature, encryption, and MAC workflows.

COSE tags: Sign1/Sign, Encrypt0/Encrypt, Mac0/Mac
Algorithms: ECDSA, EdDSA, RSA (RS/PS), HMAC (SHA-256/384/512)
PHP 8.1+ with strict types and PHPStan-friendly APIs
Integrates with spomky-labs/cbor-php for tag decoding/encoding

Frequently asked questions about Cose Lib

How do I integrate this COSE library into a Laravel application for WebAuthn/FIDO2 authentication?: Install via Composer (`composer require web-auth/cose-lib spomky-labs/cbor-php`), then use the `CoseSign1Tag` class to create or verify signatures. For WebAuthn, focus on ES256 (ECDSA) signatures with `CoseSign1Tag::create()` and verify using the decoded payload. Laravel’s middleware can handle the COSE message parsing, while the library abstracts CBOR complexity.
Which Laravel versions and PHP versions are officially supported?: This package requires PHP 8.1+ and is framework-agnostic but fully compatible with Laravel 9+. It leverages strict types and modern PHP features, so ensure your Laravel app meets the PHP 8.1 baseline. No Laravel-specific dependencies exist, making it a drop-in solution for any Laravel 9+ project.
Can I use this library to replace JWT in Laravel for API authentication?: Yes, COSE_Sign1 (tag 18) is ideal for compact, CBOR-based signatures like JWT but with stronger cryptographic guarantees. Replace JWT payloads with COSE messages, using `CoseSign1Tag::create()` for signing and `CoseSign1Tag::verify()` for validation. Store COSE messages in binary fields (e.g., PostgreSQL `bytea`) and decode them with the library’s CBOR decoder.
How do I handle key management for COSE signatures in production?: Use Laravel’s encryption services or integrate with AWS KMS/GCP Cloud KMS for secure key storage. The library supports JWK (JSON Web Key) formats, so you can store private keys in encrypted databases or hardware security modules (HSMs). Always use `kid` (key ID) headers to associate signatures with the correct key pair.
Does this library support asynchronous COSE operations for high-load Laravel queues?: Yes, cryptographic operations like signing/verification can be offloaded to Laravel queues (e.g., Redis or database queues) to avoid blocking I/O-bound requests. Dispatch jobs with `CoseSign1Tag` or `CoseEncrypt0Tag` payloads, then process them in background workers. This is critical for high-volume systems like WebAuthn authentication flows.
Are there alternatives to this library for COSE in PHP, and why should I choose this one?: Alternatives include custom CBOR/COSE implementations or JavaScript libraries like `cose-js`, but this package is the most mature PHP-native solution with full RFC 9052/9053 compliance. It includes strict typing, PHPStan support, and comprehensive test coverage (e.g., EU DCC validation), making it production-ready for Laravel apps requiring WebAuthn, FIDO2, or digital health certificates.
How do I verify a COSE_Sign1 signature in Laravel, and what exceptions should I expect?: Use the `CoseSign1Tag::verify()` method with the decoded COSE message and public key. Handle `CoseException` for malformed messages or `CryptographicException` for verification failures. For Laravel, wrap the verification in a try-catch block and return HTTP 403 (Forbidden) on failure. Example: `try { $coseSign1->verify($publicKey); } catch (CoseException $e) { abort(403); }`
Can I use this library to encrypt data for secure API responses in Laravel?: Yes, use `CoseEncrypt0Tag` for single-recipient encryption or `CoseEncryptTag` for multiple recipients. Encrypt sensitive payloads (e.g., PII) before returning them in API responses. Decrypt on the client side using compatible libraries like `cose-js` for JavaScript or Rust’s `cose` crate. Store encrypted COSE messages in binary fields and decode them with the library’s CBOR decoder.
How does this library handle edge cases like malformed COSE messages or unsupported algorithms?: The library throws `CoseException` for malformed messages and `UnsupportedAlgorithmException` for unsupported algorithms (e.g., legacy RSA variants). Use PHPStan to catch type-related issues early. For Laravel, validate COSE messages in middleware or form requests, returning HTTP 400 (Bad Request) for invalid inputs. The test suite includes edge cases like truncated payloads and invalid signatures.
Is this library suitable for EU Digital COVID Certificate (DCC) validation in Laravel?: Absolutely. The library was tested with EU DCC validation and supports the required algorithms (e.g., ES256 for signatures). Use `CoseSign1Tag::verify()` with the DCC’s public key and validate the payload structure against the EU DCC specification. The library’s CBOR decoder handles the binary COSE messages natively, reducing parsing complexity.

View on GitHub

Stars

Favorites

Forks

Score

27.3

License

MIT

Last release

Apr 1, 2026

Watchers

Downloads

485K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport

twbs/bootstrap4