PEAR package for JWT
PHP Shell
#134 Compare This branch is 133 commits ahead of luciferous:master.

Build Status Latest Stable Version Total Downloads License


A simple library to encode and decode JSON Web Tokens (JWT) in PHP, conforming to RFC 7519.


Use composer to manage your dependencies and download PHP-JWT:

composer require firebase/php-jwt


use \Firebase\JWT\JWT;

$key = "example_key";
$token = array(
    "iss" => "",
    "aud" => "",
    "iat" => 1356999524,
    "nbf" => 1357000000

 * You must specify supported algorithms for your application. See
 * for a list of spec-compliant algorithms.
$jwt = JWT::encode($token, $key);
$decoded = JWT::decode($jwt, $key, array('HS256'));


 NOTE: This will now be an object instead of an associative array. To get
 an associative array, you will need to cast it as such:

$decoded_array = (array) $decoded;

 * You can add a leeway to account for when there is a clock skew times between
 * the signing and verifying servers. It is recommended that this leeway should
 * not be bigger than a few minutes.
 * Source:
JWT::$leeway = 60; // $leeway in seconds
$decoded = JWT::decode($jwt, $key, array('HS256'));



4.0.0 / 2016-07-17

  • Add support for late static binding. See #88 for details. Thanks to @chappy84!
  • Use static $timestamp instead of time() to improve unit testing. See #93 for details. Thanks to @josephmcdermott!
  • Fixes to exceptions classes. See #81 for details. Thanks to @Maks3w!
  • Fixes to PHPDoc. See #76 for details. Thanks to @akeeman!

3.0.0 / 2015-07-22

  • Minimum PHP version updated from 5.2.0 to 5.3.0.
  • Add \Firebase\JWT namespace. See #59 for details. Thanks to @Dashron!
  • Require a non-empty key to decode and verify a JWT. See #60 for details. Thanks to @sjones608!
  • Cleaner documentation blocks in the code. See #62 for details. Thanks to @johanderuijter!

2.2.0 / 2015-06-22

  • Add support for adding custom, optional JWT headers to JWT::encode(). See #53 for details. Thanks to @mcocaro!

2.1.0 / 2015-05-20

  • Add support for adding a leeway to JWT:decode() that accounts for clock skew between signing and verifying entities. Thanks to @lcabral!
  • Add support for passing an object implementing the ArrayAccess interface for $keys argument in JWT::decode(). Thanks to @aztech-dev!

2.0.0 / 2015-04-01

  • Note: It is strongly recommended that you update to > v2.0.0 to address known security vulnerabilities in prior versions when both symmetric and asymmetric keys are used together.
  • Update signature for JWT::decode(...) to require an array of supported algorithms to use when verifying token signatures.


Run the tests using phpunit:

$ pear install PHPUnit
$ phpunit --configuration phpunit.xml.dist
PHPUnit 3.7.10 by Sebastian Bergmann.
Time: 0 seconds, Memory: 2.50Mb
OK (5 tests, 5 assertions)


3-Clause BSD.