JWT (JSON Web Tokens) is an open standard based on JSON for securely transferring information between two applications. It consists of 3 parts: Header, Payload and Signature. The Header contains metadata about the Token, the Payload is the part that actually stores the information, and the Signature is used to verify the integrity of the message.
In this article, we will explore how to implement JWT using PHP.
- Installation dependencies
JWT needs to be installed through Composer. If you have not installed Composer, you can install it with the following command:
curl -sS https://getcomposer.org/installer | php
Then move the Composer executable file to the /usr/local/bin directory:
sudo mv composer.phar /usr/local/bin/composer
Install dependencies:
composer require firebase/php-jwt
- Create Token
First, we need to create a Token using PHP's jwt_encode() function. Here is an example:
use \Firebase\JWT\JWT; $key = "my_secret_key"; //密钥 $payload = array( "iss" => "localhost", "aud" => "localhost", "iat" => time(), "exp" => time()+60*60 //有效期1小时 ); $jwt = JWT::encode($payload, $key);
In the above example, we use the jwt_encode() function to create a JWT. The $key variable contains the JWT key, and the $payload variable contains the information to be transmitted and the expiration time. The expiration time can be obtained using PHP's time() function. Finally, the jwt_encode() function returns a JWT string.
- Verify Token
We need to use PHP's jwt_decode() function to verify the JWT. Here is an example:
use \Firebase\JWT\JWT;
$key = "my_secret_key"; //密钥
$jwt = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJsb2NhbGhvc3QiLCJhdWQiOiJsb2NhbGhvc3QiLCJpYXQiOjE1NTg2NTQ2OTksImV4cCI6MTU1ODY5MTg5OSwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSIsIm5hbWUiOiJhZG1pbiJ9.AmifgOPkE8lx4m4ovHShBc1sPLs9QnNgzuiBZfrjtLw";
try {
$decoded = JWT::decode($jwt, $key, array('HS256'));
print_r($decoded);
} catch (Exception $e) {
echo 'Invalid token: ' . $e->getMessage();
}
In the above example, we used the jwt_decode() function to verify the JWT. If the verification is successful, the function will return an object containing the JWT information.
- Verify signature
The signature is used to verify the integrity of the JWT. We need to sign the message using a key that is known only to the signature verification mechanism. When the receiver receives the message, he will use the same key to decrypt and verify the message.
JWT uses a technology called "Hash Message Authentication Code" (HMAC) to sign the JWT. This technology requires hashing the JWT Header and Payload and then combining them with the key. Next is an example of signature verification:
use \Firebase\JWT\JWT;
$key = "my_secret_key"; //密钥
$jwt = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJsb2NhbGhvc3QiLCJhdWQiOiJsb2NhbGhvc3QiLCJpYXQiOjE1NTg2NTQ2OTksImV4cCI6MTU1ODY5MTg5OSwiZW1haWwiOiJhZG1pbkBleGFtcGxlLmNvbSIsIm5hbWUiOiJhZG1pbiJ9.AmifgOPkE8lx4m4ovHShBc1sPLs9QnNgzuiBZfrjtLw";
try {
$decoded = JWT::decode($jwt, $key, array('HS256'));
$decoded_array = (array) $decoded;
$signature_valid = JWT::verify("$jwt->header.$jwt->payload", $jwt->signature, $key);
if ($signature_valid) {
echo "Valid signature";
} else {
echo "Invalid signature";
}
} catch (Exception $e) {
echo 'Invalid token: ' . $e->getMessage();
}
In the above example, we used the verify() function to verify the signature. This function will return a boolean value. If the result is true, it means that the signature is valid.
Summary
In this article, we briefly introduced how to implement JWT using PHP. First, we need to install the JWT dependent library, then use the jwt_encode() function to create the Token, use the jwt_decode() function to verify the Token, and finally use the verify() Function to verify signature. These functions can be implemented through Firebase's JWT library.
The above is the detailed content of How to implement JWT using PHP. For more information, please follow other related articles on the PHP Chinese website!
ACID vs BASE Database: Differences and when to use each.Mar 26, 2025 pm 04:19 PMThe article compares ACID and BASE database models, detailing their characteristics and appropriate use cases. ACID prioritizes data integrity and consistency, suitable for financial and e-commerce applications, while BASE focuses on availability and
PHP Secure File Uploads: Preventing file-related vulnerabilities.Mar 26, 2025 pm 04:18 PMThe article discusses securing PHP file uploads to prevent vulnerabilities like code injection. It focuses on file type validation, secure storage, and error handling to enhance application security.
PHP Input Validation: Best practices.Mar 26, 2025 pm 04:17 PMArticle discusses best practices for PHP input validation to enhance security, focusing on techniques like using built-in functions, whitelist approach, and server-side validation.
PHP API Rate Limiting: Implementation strategies.Mar 26, 2025 pm 04:16 PMThe article discusses strategies for implementing API rate limiting in PHP, including algorithms like Token Bucket and Leaky Bucket, and using libraries like symfony/rate-limiter. It also covers monitoring, dynamically adjusting rate limits, and hand
PHP Password Hashing: password_hash and password_verify.Mar 26, 2025 pm 04:15 PMThe article discusses the benefits of using password_hash and password_verify in PHP for securing passwords. The main argument is that these functions enhance password protection through automatic salt generation, strong hashing algorithms, and secur
OWASP Top 10 PHP: Describe and mitigate common vulnerabilities.Mar 26, 2025 pm 04:13 PMThe article discusses OWASP Top 10 vulnerabilities in PHP and mitigation strategies. Key issues include injection, broken authentication, and XSS, with recommended tools for monitoring and securing PHP applications.
PHP XSS Prevention: How to protect against XSS.Mar 26, 2025 pm 04:12 PMThe article discusses strategies to prevent XSS attacks in PHP, focusing on input sanitization, output encoding, and using security-enhancing libraries and frameworks.
PHP Interface vs Abstract Class: When to use each.Mar 26, 2025 pm 04:11 PMThe article discusses the use of interfaces and abstract classes in PHP, focusing on when to use each. Interfaces define a contract without implementation, suitable for unrelated classes and multiple inheritance. Abstract classes provide common funct
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SublimeText3 Linux new version
SublimeText3 Linux latest version
Dreamweaver Mac version
Visual web development tools
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
SublimeText3 Mac version
God-level code editing software (SublimeText3)
