{"id":23003719,"url":"https://github.com/stechstudio/laravel-jwt","last_synced_at":"2025-04-12T03:47:19.661Z","repository":{"id":57059371,"uuid":"181727863","full_name":"stechstudio/laravel-jwt","owner":"stechstudio","description":"Helper package that makes it easy to generate, consume, and protect routes with JWT tokens in Laravel","archived":false,"fork":false,"pushed_at":"2025-03-03T13:33:21.000Z","size":73,"stargazers_count":126,"open_issues_count":0,"forks_count":5,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-28T17:01:47.377Z","etag":null,"topics":["jwt","jwt-token","laravel"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stechstudio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-16T16:34:26.000Z","updated_at":"2025-03-03T13:33:02.000Z","dependencies_parsed_at":"2025-02-18T10:10:28.735Z","dependency_job_id":"2d96c5ad-0559-40ba-9732-1e6a4f6a5cee","html_url":"https://github.com/stechstudio/laravel-jwt","commit_stats":{"total_commits":43,"total_committers":1,"mean_commits":43.0,"dds":0.0,"last_synced_commit":"892816594a90949d7cd0c2d2391d120fd2a69844"},"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stechstudio%2Flaravel-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stechstudio%2Flaravel-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stechstudio%2Flaravel-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stechstudio%2Flaravel-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stechstudio","download_url":"https://codeload.github.com/stechstudio/laravel-jwt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247226210,"owners_count":20904465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","jwt-token","laravel"],"created_at":"2024-12-15T07:15:08.729Z","updated_at":"2025-04-04T18:02:16.743Z","avatar_url":"https://github.com/stechstudio.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"![](https://user-images.githubusercontent.com/203749/218332026-c858a5c5-357a-4cbb-bbfd-a6397b24a4c3.png)\n\n\n# Laravel JWT Tools\n\n[![Latest Version on Packagist](https://img.shields.io/packagist/v/stechstudio/laravel-jwt.svg?style=flat-square)](https://packagist.org/packages/stechstudio/laravel-jwt)\n[![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)\n![Build Status](https://img.shields.io/endpoint?url=https://app.chipperci.com/projects/dc325ad7-6039-4345-8e77-828492ba0bf1/status/v2\u0026style=flat-square)\n\nThis package wraps the excellent [lcobucci/jwt](https://github.com/lcobucci/jwt) library with the following benefits:\n\n1) `JWT` facade with helper methods to quickly generate and parse tokens.\n2) Enforces a minimal set of claims for generated tokens, like `aud`, `iss`, and `exp`.\n3) Validate parsed tokens to ensure our required claims are set properly with signature present and valid.\n4) HTTP Middleware to validate a route-specific JWT\n5) Request macro to easily access route-specific JWT claims\n\n## Quickstart\n\n### Installation\n\n```php\ncomposer require stechstudio/laravel-jwt\n```\n\n### Simple example\n\nYou can generate a simple JWT with the `get` method. \n\n```php\n$jwt = JWT::get('token-id', ['myclaim' =\u003e 'somevalue']);\n```\n\nThis will generate a token with the ID provided and an array of claims, returning the string token.\n\n### Lifetime\n\nThe default token expiration is set to 10 minutes which you can configure, or you can specify a custom lifetime value as a third parameter when creating the token:\n\n```php\n$jwt = JWT::get('token-id', ['anything' =\u003e 'here'], 3600);\n```\n\nThis token will expire in one hour. You can also specify the lifetime with Carbon:\n\n```php\n$jwt = JWT::get('token-id', ['anything' =\u003e 'here'], now()-\u003eaddMinutes(60));\n```\n\n### Signing key\n\nIf you are generating a JWT that will be consumed by a different app (very common use case in our company) you can specify the signing key as the fourth parameter.\n\n```php\n$jwt = JWT::get('token-id', ['anything' =\u003e 'here'], 3600, config('services.otherapp.key'));\n```\n\n## Configuration\n\nThis package tries to pick sane defaults, while also allowing you to change configs through your .env file.\n\n**Signature key**\n\nEvery token is signed. The `JWT_SIGNING_KEY` value is used is available, otherwise `APP_KEY` will be used as the signing key.\n\n**Lifetime**\n\nDefault lifetime is 600 seconds / 10 minutes. You can change the default by specifying the number of seconds as `JWT_LIFETIME`.\n\n**Issuer**\n\nThe default token issuer (`iss` claim) is your `APP_NAME` lowercase. You can specify a different issuer name via `JWT_ISSUER`.\n\n**Audience**\n\nThe default token audience (`aud` claim) is your `APP_NAME` lowercase. You can specify a different audience name via `JWT_AUDIENCE`.\n\n## Building tokens fluently\n\nSo far we've looked at the `JWT::get()` helper method which is super quick for simple needs. \n\nFor more control over your token you can create it fluently instead. \n \nYou can use any of the methods provided by the [underlying `Builder` class](https://lcobucci-jwt.readthedocs.io/en/latest/issuing-tokens/), along with a few new ones like `signWith` and `lifetime`.\n\n```php\n$token = JWT::identifiedBy('my-token-id')\n   -\u003elifetime(3600)\n   -\u003esignWith('custom-signing-key-with-256-bits')\n   -\u003eissuedBy(\"my-app\")\n   -\u003epermittedFor(\"receiving-app\")\n   -\u003ewithClaim('myclaim', 'any value')\n   -\u003egetToken()\n   -\u003etoString();\n```\n\n## Parsing\n\nYou can parse a JWT string into a token:\n\n```php\n$token = JWT::parse(\"... JWT string ...\");\n```\n\nAn exception will be thrown if the JWT cannot be parsed.\n\n## Validate received tokens\n\nJust as this package has opinions on what a generated token should include, we want to ensure those minimums are set appropriately on any received tokens.\n\nAfter parsing a received token, simply call `isValid` or `validate`, depending on whether you want a boolean result or exceptions thrown. Make sure to pass in the expected token ID.\n\n```php\n$token = JWT::parse(\"... JWT string ...\");\n\n$token-\u003eisValid('expected-token-id'); // Returns true or false\n\n$token-\u003evalidate('expected-token-id'); // Throws exceptions for any validation failure\n ```\n \n At this point you can be certain that the token:\n\n1) Is signed, and the signature is verified (using the configured signature key)\n2) Is within the permitted timeframe (has not expired)\n3) Is intended for your app (`aud` claim matches the configured audience)\n4) Has the expected ID\n\n### Validation exceptions\n\nWhen calling `validate('expected-token-id')` the following exceptions will be thrown depending on the validation failure:\n\n- `STS\\JWT\\Exceptions\\InvalidSignature`\n- `STS\\JWT\\Exceptions\\TokenExpired`\n- `STS\\JWT\\Exceptions\\InvalidAudience`\n- `STS\\JWT\\Exceptions\\InvalidID`\n- `STS\\JWT\\Exceptions\\ValidationException` will be used for any other types of validation failures.\n\n## Retrieving claims\n\nOnce you've parsed and validated a token, you can retrieve all token claims with `getClaims` or simply `toArray`. \n\nIf you'd like to just retrieve your custom payload claims, use `getPayload`;\n\n```php\n// Make our string token\n$jwt = JWT::get('token-id', ['foo' =\u003e 'bar']);\n\n// Parse it and validate\n$token = JWT::parse($jwt)-\u003evalidate('token-id');\n\n// Ignore registered claims, just get our custom claims\n$token-\u003egetPayload(); // [ foo =\u003e bar ]\n```\n\nOr to retrieve just one claim, use `get` passing in the name of the claim. You can optionally pass in a default value as the second parameter;\n\n```php\n$token-\u003eget(\"foo\"); // bar\n\n$token-\u003eget(\"invalid\"); // null\n\n$token-\u003eget(\"invalid\", \"quz\"); // quz\n```\n\n## Route middleware\n\nWe frequently use JWTs to authorize a request. These are sometimes generated and consumed by the same app, but more frequently they are for cross-app authorization.\n\nYou can use the included `jwt` middleware to validate a JWT request. The middleware will look for the JWT in a number of places:\n \n1) As a request parameter named `jwt` or `token`\n2) As a route paramater named `jwt` or `token`\n3) In the Authorization header either as `Token JWT` or `Bearer :base64encodedJWT`\n\nIf a token is found in any of these locations it will be parsed and validated. \n\n### Token ID\n\nBy default, the token ID will be expected to match the route name.\n\nFor example, with this following route the token will need an ID of `my.home`:\n\n```php\nRoute::get('/home', [Controller::class, 'home'])-\u003ename('my.home')-\u003emiddleware('jwt');\n```\n\nYou can specify the required ID by passing it as a middleware parameter:\n\n```php\nRoute::get('/home', [Controller::class, 'home'])-\u003emiddleware('jwt:expected-id');\n```\n\n## Access claims on request\n\n### All token claims\n\nThe Laravel `Request` has a `getClaim` macro on it, so you can grab claims from anywhere.\n\nExample when injecting `$request` into a controller method:\n\n```php\nuse Illuminate\\Http\\Request;\n\nclass Controller {\n    public function home(Request $request)\n    {\n        echo $request-\u003egetClaim('aud'); // The token audience    \n    }\n}\n```\n\n### Custom payload merged\n\nThe token payload (custom claims added to the JWT, not part of the core registered claim set) is merged onto the request attributes, so you can access these just like any other request attribute.\n\nIf the JWT has a `foo` claim, you can directly access `$request-\u003efoo` or `$request-\u003einput('foo')` or even `request('foo')` using the global request helper.\n\n_**Note**: When the payload is merged onto the request, there is a chance that we are stomping on some existing request attributes. Because we **really** trust the payload in a validated JWT, we prefer this behavior. However if you want to disable set `JWT_MERGE_PAYLOAD=false` in your .env file._  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstechstudio%2Flaravel-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstechstudio%2Flaravel-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstechstudio%2Flaravel-jwt/lists"}