1 of 59

v1.x

Introduction

This document is available online at .

JWT Framework

This framework provides an implementation of:

Components

This framework provides several components that will help you to use JWS (signed tokens) and JWE (encrypted tokens). It also provides other nice features to create and manage keys.

Before to start creating your first tokens, we have to create an algorithm manager and keys or key sets.

Algorithm Management
Header Checker and

When your algorithm manager, your keys and your checkers are ready, you will be able to create or load your first tokens.

Algorithm Management (JWA)

The algorithm management is part of the web-token/jwt-core component:

Algorithm Manager

For each cryptographic operation you will perform, you will need at least one algorithm.

The available algorithms depend on the cypher operation to be performed. Please refer to the Signed tokens or the to know more.

These algorithms are managed by an Algorithm Manager. In the following example, we will create an algorithm manager that will handle two algorithms: PS256 and ES512

It is not possible to set the same algorithm twice in the same algorithm manager.

Algorithm Manager Factory

Your application may need several algorithm managers for several use cases. Let say:

Your application issues signed events,
Your application issues authentication tokens for registered users or a resource server.

To avoid mixing algorithms in one algorithm manager or instantiate several times the algorithms for several algorithm managers, this framework provides an Algorithm Manager Factory.

This factory will create algorithm managers on demand. It also allows the same algorithm to be instantiated multiple times but with different configuration options.

Each algorithm is identified using an alias.

The first argument of the method add is the alias for the algorithm. It must be unique. In general, this alias corresponds to the algorithm name.

As you can see in the example, we added the algorithm PBES2-HS512+A256KW twice: with the default configuration and with custom arguments.

Now our algorithm manager factory is ready. We can create several algorithm managers by passing a list of aliases to the method create:

Key (JWK) and Key Set (JWKSet)

To perform cryptographic operations (signature/verification and encryption/decryption), you will need keys. The keys can be grouped in key sets.

The JWK and JWKSet objects are part of the web-token/jwt-core component:

JWK

Key Set Management (JWKSet)

You can create a JWKSet object using three static methods:

JWKSet::createFromKeys(array $keys): creates a JWKSet using a list of JWK objects.
JWKSet::createFromJson(string $json): creates a JWKSet using a JSON object.

Header Checker

When you receive a JWT (JWS or JWE), it is important to check its headers before any other action. In case something went wrong, the token has to be rejected.

To use the header checker, install the corresponding component:

The header parameters are checked by a Header Checker Manager. This manager can contain several header checkers.

Please note that:

the header parameter crit

Claim Checker

JSON Web Tokens can be used to transport any kind of data. They are mainly used to transport claims. When you receive a tokens that contains claims, it is important to check the values of these claims.

The Claim Checker Manager is responsible of this task. To use it, install the corresponding component:

Claim Checker Manager

In the following example, we will create a manager able to check the aud (Audience), iat (Issued At), nbf (Not Before) and exp (Expiration) claims.

When instantiated, call the method check to check the claims of a JWT object. This method only accept an array. You have to retrieve this array by converting the JWT payload.

In some cases, it could be interesting to reject tokens that do not contain some mandatory claims. A list of mandatory claims can be set as second argument. If one of those claims is missing an exception is thrown, even if the claim have not been checked.

In the following example, an exception will be thrown if the iss, sub or aud claim is missing.

Custom Claim Checker

Your application may use other claims that you will have to check therefore custom claim checkers have to be created.

In this example, we will create a class that will check the claim foo. The claim accept only a string with the value bar or bat. All claim checker have to implement the interface Jose\Component\Checker\ClaimChecker;

All done! Now you can instantiate your class and add it to your Claim Checker Manager.

Replicating Claims as Header Parameters

The allows to replicate some claims in the header. This behaviour is very useful with encrypted tokens as it helps to reject invalid tokens without decryption of the payload.

The Claim Checker Manager cannot check those replicated claims, you have to create a . However, to avoid duplicated classes, your claim checker can implement the Jose\Component\Checker\HeaderChecker interface.

Have a look at the IssuedAtChecker or the NotBeforeChecker classes. These checkers can be used for claim and header checks.

Claim Checker Manager Factory

Your application may use JSON Web Tokens in different contexts and thus the meaning of a claim may be different. You will need several Claim Checker Managers with dedicated claim checkers.

This framework provides an Claim Checker Manager Factory. This factory is able to accept as many claim checkers as you need. Each claim checker you add to this factory is associated to an alias. You will then be able to create a claim checker manager using those aliases.

Signed Tokens (JWS)

To use the signed tokens (JWS), you have to install the web-token/jwt-signature component.

composer require web-token/jwt-signature

This component provides lot of signature algorithms and classes to load and create signed tokens.

Please refer to this signature algorithm table to know what algorithms are available.

Then, you will find an example to create a signed token here and another example to load and verify incoming tokens.

Signature Algorithms

This framework comes with several signature algorithms. These algorithms are in the following namespace: Jose\Component\Signature\Algorithm.

From v1.2, the algorithms have their own sub-packages. To avoid BC breaks, these packages are automatically installed for all v1.x of the framework. Starting at v2.0, you will have to explicitly install the algorithm packages you need.

HMAC with SHA-2 Functions. Package web-token/jwt-signature-algorithm-hmac
- HS256
- HS384
- HS512
Elliptic Curve Digital Signature Algorithm (ECDSA). Package web-token/jwt-signature-algorithm-ecdsa
- ES256
- ES384
RSASSA-PKCS1 v1_5. Package web-token/jwt-signature-algorithm-rsa
- RS256
- RS384
RSASSA-PSS. Package web-token/jwt-signature-algorithm-rsa
- PS256
- PS384
Edwards-curve Digital Signature Algorithm (EdDSA) Package web-token/jwt-signature-algorithm-eddsa
- EdDSA (only with the Ed25519 curve)
Unsecured algorithm Package web-token/jwt-signature-algorithm-none
- none

The following signature algorithms are experimental and must not be used in production unless you know what you are doing. They are proposed for testing purpose only.

They are all part of the package web-token/jwt-signature-algorithm-experimental

RS1: RSASSA-PKCS1 v1_5 with SHA-1 hashing function.
HS1: HMAC with SHA-1 hashing function.

How To Use

These algorithms have to be used with the . They do not need any arguments.

Example:

JWS Creation

Now that you have an algorithm manager and a key, it is time to create your first signed token.

The computation is done by the JWSBuilder object. This object requires the algorithm manager and a JSON converter. In the following example, we will use the standard converter provided by the framework.

<?php

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\Converter\StandardConverter;
use Jose\Component\Core\JWK;
use Jose\Component\Signature\Algorithm\HS256;
use Jose\Component\Signature\JWSBuilder;

// The algorithm manager with the HS256 algorithm.
$algorithmManager = AlgorithmManager::create([
    new HS256(),
]);

// Our key.
$jwk = JWK::create([
    'kty' => 'oct',
    'k' => 'dzI6nbW4OcNF-AtfxGAmuyz7IpHRudBI0WgGjZWgaRJt6prBn3DARXgUR8NVwKhfL43QBIU2Un3AvCGCHRgY4TbEqhOi8-i98xxmCggNjde4oaW6wkJ2NgM3Ss9SOX9zS3lcVzdCMdum-RwVJ301kbin4UtGztuzJBeg5oVN00MGxjC2xWwyI0tgXVs-zJs5WlafCuGfX1HrVkIf5bvpE0MQCSjdJpSeVao6-RSTYDajZf7T88a2eVjeW31mMAg-jzAWfUrii61T_bYPJFOXW8kkRWoa1InLRdG6bKB9wQs9-VdXZP60Q4Yuj_WZ-lO7qV9AEFrUkkjpaDgZT86w2g',
]);

// The JSON Converter.
$jsonConverter = new StandardConverter();

// We instantiate our JWS Builder.
$jwsBuilder = new JWSBuilder(
    $jsonConverter,
    $algorithmManager
);

Now let's create our first JWS object.

Great! If everything is fine you will get a JWS object with one signature. We want to send it to the audience. Before that, it must be serialized.

We will use the compact serialization mode. This is the most common mode as it is URL safe and very compact. Perfect for a use in a web context!

use Jose\Component\Signature\Serializer\CompactSerializer;

$serializer = new CompactSerializer($jsonConverter); // The serializer

$token = $serializer->serialize($jws, 0); // We serialize the signature at index 0 (we only have one signature).

All good! The variable $token now contains a string that should be something like this:

Other serialization modes exist. We will see them in the Advanced Topics section.

Encrypted Tokens (JWE)

To use the encrypted tokens (JWE), you have to install the .

This component provides lot of encryption algorithms and classes to load and create encrypted tokens.

Please refer to to know what algorithms are available.

Then, you will find an and another incoming tokens.

JWE Creation

The computation of a JWE is done by the JWEBuilder object. This object requires the following services:

an algorithm manager with key encryption algorithms
an algorithm manager with content encryption algorithms

Symfony Bundle

This framework provides a Symfony bundle that will help you to use the components within your Symfony application. The bundle is available

when you just install the bundle (composer require web-token/jwt-bundle)
when you install the whole framework (composer require web-token/jwt-framework)

If you just install the bundle on an application with Symfony Flex support, then there is nothing to do. Otherwise, you have to register the bundle:

The bundle capabilities will depend on the components installed in your application. The core component is always available.

Algorithm Management

Algorithm Manager Factory Service

The Symfony Bundle provides an Algorithm Manager Factory service. The available algorithms depends on the components installed on your application.

<?php

use Jose\Component\Core\AlgorithmManagerFactory;

$algorithmManagerFactory = $container->get(AlgorithmManagerFactory::class);
$algorithmManager = $algorithmManagerFactory->create(['RS256', 'HS512']);

Custom Algorithm

This factory handles all algorithms services tagged with jose.algorithm.

Example:

Your algorithm will be available through the algorithm manager factory service and the alias FOO.

PBES2-* Algorithms

When installed, the PBES2-* algorithms available throught the algorithm manager factory. They have the default configuration i.e. salt size = 62 bits and count = 4096. If these values does not fit on your needs, you can create a new algorithm service with your own values:

You can now use your custom alias:

Key and Key Set Management

The JWK and JWKSet objects are provided by the web-token/jwt-core component. We recommend you to load these objects through environment variables.

With Symfony 3.4 or 4.0+, an environment variables processor is provided:

With the previous configuration, the environment variables MY_PRIVATE_KEY and MY_PUBLIC_KEYSET will be processed by Symfony and the container will contain the my_private_key and my_public_keyset with JWK and JWKSet objects respectively.

Key Management (JWK)

Keys As Services

When the component is installed, you will be able to define your keys in your application configuration and load your keys from several sources or formats. All these methods have the following option:

is_public: set the service public or private.

The key configuration will look like as follow:

The key will be available as a container service with the ID jose.key.key_name where key_name is the unique name of your key. Each key service will be an instance of the Jose\Component\Core\JWK class.

As any other configuration values, you can use environment variables.

From A Shared Secret

This feature was introduced in version 1.1.

This method will directly get a shared secret.

From A JWK Object

This method will directly load a JWK object.

From A X509 Certificate File

This method will load a X509 Certificate file.

From A X509 Certificate

This method will load a key from a X509 Certificate.

From A PKCS#1/PKCS#8 Key File

This method will load a key from a PKCS#1 or PKCS#8 key file.

From A Key In A Key Set

This method will retrieve a key from a JWKSet service.

Custom Tags

This feature was introduced in version 1.1.

You can add custom tags and attributes to the services you create.

Header and Claim Checker Management

Checker Manager Factory Services

The Symfony Bundle provides Header and Claim Checker Manager Factory services. These services are available when the web-token/jwt-checker component is installed:

Checker Manager Services

You can create Header and Claim Checker Managers using the bundle configuration.

With the previous configuration, the bundle will create public Header and Claim Checker Managers named jose.header_checker.checker1 and jose.claim_checker.checker1 with selected checkers.

Custom Header Or Claim Checker

Some claim or header checkers are provided by this framework, but it is important to create custom checkers that fit on your application requirements.

In the following example, we will assume that the class exist and implement either Jose\Component\Checker\HeaderChecker or Jose\Component\Checker\ClaimChecker.

These checkers will be loaded by the factories and you will be able to create a header or a claim checker manager using the aliases foo or bar.

Custom Tags

This feature was introduced in version 1.1.

You can add custom tags and attributes to the header and claim checker managers.

Signed Tokens

To use the signed tokens (JWS), you have to install the web-token/jwt-signature component.

composer require web-token/jwt-signature

When this component is installed, signature algorithms are automatically handles by the Algorithm Manager Factory.

JWS serializers,
JWS creation,
.

JWS serializers

JWS Serializer Manager Factory Service

A JWSSerializerManagerFactory is available as a service in your application container:

With this factory, you will be able to create the JWSSerializerManager you need:

You can now use the JWSSerializerManager as explained in the JWS Creation/Loading section.

JWS creation

JWS Builder Factory Service

A JWSBuilderFactory is available as a service in your application container:

<?php
use Jose\Component\Signature\JWSBuilderFactory;

$jwsBuilderFactory = $container->get(JWSBuilderFactory::class);

With this factory, you will be able to create the JWSBuilder you need:

You can now use the JWSBuilder as explained in the JWS Creation section.

JWS Builder As Service

There is also another way to create a JWSBuilder object: using the bundle configuration.

With the previous configuration, the bundle will create a public JWS Builder service named jose.jws_builder.builder1 with selected signature algorithms.

Custom Tags

This feature was introduced in version 1.1.

You can add custom tags and attributes to the services you create.

JWS verification

JWS Verifier Factory Service

A JWSVerifierFactory is available as a service in your application container:

With this factory, you will be able to create the JWSVerifier you need:

You can now use the JWSVerifier as explained in the JWS Creation section.

Encrypted Tokens

To use the encrypted tokens (JWE), you have to install the .

When this component is installed, encryption algorithms are automatically handles by the Algorithm Manager Factory.

JWE serializers

JWE Serializer Manager Factory Service

A JWESerializerManagerFactory is available as a service in your application container:

With this factory, you will be able to create the JWESerializerManager you need:

You can now use the JWESerializerManager as explained in the JWE Creation/Loading section.

Available JWE serialization modes are:

jwe_compact
jwe_json_general
jwe_json_flattened

JWE Serializer Manager As Service

There is also another way to create a JWESerializerManager object: using the bundle configuration.

With the previous configuration, the bundle will create a public JWE Serializer Manager service named jose.jwe_serializer.serializer1 with selected serialization modes.

Custom Tags

This feature was introduced in version 1.1.

You can add custom tags and attributes to the services you create.

JWE creation

JWE Builder Factory Service

A JWEBuilderFactory is available as a service in your application container:

With this factory, you will be able to create the JWEBuilder you need:

Available compression methods are:

DEF: deflate (recommended)
GZ: gzip
ZLIB: zlib

You can now use the JWEBuilder as explained in the JWE Creation section.

JWE Builder As Service

There is also another way to create a JWEBuilder object: using the bundle configuration.

With the previous configuration, the bundle will create a public JWE Builder service named jose.jwe_builder.builder1 with selected encryption algorithms.

Custom Tags

This feature was introduced in version 1.1.

You can add custom tags and attributes to the services you create.

JWE decryption

JWE Decrypter Factory Service

A JWEDecrypterFactory is available as a service in your application container:

With this factory, you will be able to create the JWEDecrypter you need:

You can now use the JWEDecrypter as explained in the JWE Creation section.

Reminder: it is important to check the token headers. See the checker section of this documentation.

JWE Decrypter As Service

There is also another way to create a JWEDecrypter object: using the bundle configuration.

With the previous configuration, the bundle will create a public JWE Decrypter service named jose.jwe_decrypter.decrypter1 with selected encryption algorithms.

Custom Tags

This feature was introduced in version 1.1.

You can add custom tags and attributes to the services you create.

JWE Loader Service

This feature was introduced in version 1.1.

The is available as a public service. You can retrieve it using the container or inject it into your services. It will help you to create JWELoader objects on demand.

You can also create JWELoader objects as services using the configuration of the bundle.

Or using the .

Standalone Application

Installation

To install the standalone application, you have to clone the repository and install the dependencies. We consider that git and composer are correctly installed.

git clone https://github.com/web-token/jwt-app.git
cd jwt-app
composer install --no-dev --optimize-autoloader --classmap-authoritative

You will find the standalone console command in the bin folder.

./bin/jose

Symfony Console

To enable the commands on a Symfony application, you have to install and add the associated bundle into your kernel:

composer require web-token/jwt-console
composer require web-token/jwt-bundle

If you use Symfony Flex, you have nothing to do. Otherwise you have to enable to bundle.

// app/AppKernel.php

class AppKernel extends Kernel
{
    public function registerBundles()
    {
        $bundles = [
            ...
            new Jose\Bundle\JwtFramework\JwtFrameworkBundle(),
        ];

        return $bundles;
    }
    ...
}

Then execute your Symfony Console command to use the command provided by this component:

./bin/console

PHAR Application

Installation

To install the application, you just have to download it and download the associated public key (the application is digitally signed):

If everything is fine, you should have two files:

Security Recommendations

Signed or Encrypted Tokens are not just the next trendy/popular way to authenticate users. They provide great features but when used incorrectly they can expose your application to major security issues.

Please read the following recommendations carefully.

Algorithms

Advanced Topics

Signed tokens and

Unprotected Header

You may want to set data in a token header that are not important for your application (e.g. general information). The integrity protection of the data is therefore not needed at all.

The introduces an unprotected header. This header is supported by this framework.

With the example below, we will create a signed token with some unprotected header parameters:

The variable $jws will be a valid JWS object with one signature and both headers.

Note: when an unprotected header is set, the Compact Serialization mode is not available.

Multiple Signatures

When you need to sign the same payload for several audiences, you may want to do it at once. The JWS Builder supports multiple signatures.

With the example below, we will create three signatures using three different algorithms (and signature keys):

$jws = $jwsBuilder
    ->create()
    ->withPayload('...')
    ->addSignature($signature_key1, ['alg' => 'HS256'])
    ->addSignature($signature_key2, ['alg' => 'RS384'])
    ->addSignature($signature_key3, ['alg' => 'ES512'])
    ->build();

The variable $jws will be a valid JWS object with all computed signatures. Next step is the serialization of these signatures.

use Jose\Component\Core\Converter\StandardConverter;
use Jose\Component\Signature\Serializer;

// The JSON Converter.
$jsonConverter = new StandardConverter();

$manager = Serializer\JWSSerializerManager::create([
    new Serializer\CompactSerializer($jsonConverter),
    new Serializer\JsonFlattenedSerializer($jsonConverter),
    new Serializer\JsonGeneralSerializer($jsonConverter),
]);

$tokenWithAllSignatures = $manager->serialize('jws_json_general', $jws);
$compactTokenWithSignatureAtIndex1 = $manager->serialize('jws_compact', $jws, 1);
$flattenedTokenWithSignatureAtIndex2 = $manager->serialize('jws_json_flattened', $jws, 2);

Unencoded Payload

The RFC7797 allows the use of an unencoded payload for the signed tokens. This behaviour is interesting when your tokens have a detached payload and may reduce the token computation.

Please note that when the Compact Serialization mode is used, the characters of the payload must be limited to the following ASCII ranges:

From 0x20 to 0x2d
From 0x2f to 0x7e

This feature is built in the framework and is enabled when the b64 header parameter is set to false. As per the RFC, this header MUST be protected and also listed as a critical (crit) header parameter.

Example:

As a remainder, both b64 and crit parameters MUST be in the protected header.

Encrypted tokens and

Unprotected Headers

As well as the signed tokens, the encrypted tokens also have unprotected header. But with one difference: there are two unprotected headers:

Shared unprotected header applicable to all recipients.
Per-recipient unprotected header.

With the example below, we will create an encrypted token for two recipient and some unprotected header parameters:

The variable $jwe will be a valid JWE object built for two recipients. The unprotected header parameter author is applicable to the whole token while message and description are available only for the first and second recipient respectively.

Note: when an unprotected header is set, the Compact Serialization mode is not available.

Additional Authentication Data (AAD)

The Additional Authenticated Data (AAD) is an input to an Authenticated Encryption operation. The AAD is integrity protected but not encrypted.

Its value can be any string you want that is needed by your application. With the example below, we will add a dummy AAD:

$jwe = $jweBuilder
    ->create()
    ->withPayload('...')
    ->withSharedProtectedHeader([
        'enc' => 'A256CBC-HS512',
        'alg' => 'RSA-OAEP-256',
        'zip' => 'DEF',
    ])
    ->addRecipient($recipient_key)
    ->withAAD('A,B,C,D')
    ->build();

Note: when the AAD is set, the Compact Serialization mode is not available.

Migration

The following pages will help you to migrate your application to this project.

From spomky-labs/jose

From spomky-labs/jose

The following pages will help you to migrate from and to that new framework.

Keys (JWK)

The JWK object is part of the core component (web-token/jwt-core). The may change concern the construction of the object. Its use is very similar.

Before

<?php

use Jose\Object\JWK;

$key = new JWK([
    'kty' => 'RSA',
    'n' => '0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw',
    'e' => 'AQAB',
    'alg' => 'RS256',
    'kid' => '2011-04-29',
]);

$key->has('kty'); // true
$key->get('kty'); // RSA
$key->thumbprint('sha256'); // The Sha-256 thumbprint of the key: "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs"
json_encode($key); // The key as a Json object: "{"kty":"RSA","n":"0vx7agoebGcQSuuPiLJXZptN9n...8awapJzKnqDKgw","e":"AQAB","alg":"RS256","kid":"2011-04-29"}"
$key->toPublic(); // Converts a private key to a public one (not relevant in this example as the key is public)
$key->getAll(); // All key parameters

After

<?php

use Jose\Component\Core\JWK;

$key = new JWK([
    'kty' => 'RSA',
    'n' => '0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw',
    'e' => 'AQAB',
    'alg' => 'RS256',
    'kid' => '2011-04-29',
]);

$key->has('kty'); // Unchanged
$key->get('kty'); // Unchanged
$key->thumbprint('sha256'); // Unchanged
json_encode($key); // Unchanged
$key->toPublic(); // Unchanged
$key->all(); // The method name changed.

Header Checking

The header checker manager is part of the checker component (web-token/jwt-checker).

spomky-labs/jose and this framework works a similar way thus migration is very easy. The main differences are:

There are two managers: one for the claims, one for the headers.

Claim Checking

The claim checker manager is part of the checker component (web-token/jwt-checker).

spomky-labs/jose and this framework works a similar way thus migration is very easy. The main differences are:

There are two managers: one for the claims, one for the headers.

v1.x

Introduction

hashtagJWT Framework

Components

Algorithm Management (JWA)

hashtagAlgorithm Manager

hashtagAlgorithm Manager Factory

Key (JWK) and Key Set (JWKSet)

hashtagJWK

Key Set Management (JWKSet)

Header Checker

Claim Checker

hashtagClaim Checker Manager

hashtagCustom Claim Checker

hashtagReplicating Claims as Header Parameters

hashtagClaim Checker Manager Factory

Signed Tokens (JWS)

Signature Algorithms

hashtagHow To Use

JWS Creation

Encrypted Tokens (JWE)

JWE Creation

Symfony Bundle

Algorithm Management

hashtagAlgorithm Manager Factory Service

hashtagCustom Algorithm

hashtagPBES2-* Algorithms

Key and Key Set Management

Key Management (JWK)

hashtagKey Management (JWK)

hashtagKeys As Services

hashtagFrom A Shared Secret

hashtagFrom A JWK Object

hashtagFrom A X509 Certificate File

hashtagFrom A X509 Certificate

hashtagFrom A PKCS#1/PKCS#8 Key File

hashtagFrom A Key In A Key Set

hashtagCustom Tags

Header and Claim Checker Management

hashtagChecker Manager Factory Services

hashtagChecker Manager Services

hashtagCustom Header Or Claim Checker

hashtagCustom Tags

Signed Tokens

JWS serializers

hashtagJWS Serializer Manager Factory Service

JWS creation

hashtagJWS Builder Factory Service

hashtagJWS Builder As Service

hashtagCustom Tags

JWS verification

hashtagJWS Verifier Factory Service

Encrypted Tokens

JWE serializers

hashtagJWE Serializer Manager Factory Service

hashtagJWE Serializer Manager As Service

hashtagCustom Tags

JWE creation

hashtagJWE Builder Factory Service

hashtagJWE Builder As Service

hashtagCustom Tags

JWE decryption

hashtagJWE Decrypter Factory Service

hashtagJWE Decrypter As Service

hashtagCustom Tags

hashtagJWE Loader Service

Standalone Application

hashtagInstallation

Symfony Console

PHAR Application

hashtagInstallation

Security Recommendations

hashtagAlgorithms

Advanced Topics

Signed tokens and

Unprotected Header

Multiple Signatures

Unencoded Payload

Encrypted tokens and

Unprotected Headers

JWT Framework

Algorithm Manager

Algorithm Manager Factory

JWK

Claim Checker Manager

Custom Claim Checker

Replicating Claims as Header Parameters

Claim Checker Manager Factory

How To Use

Algorithm Manager Factory Service

Custom Algorithm

PBES2-* Algorithms

Key Management (JWK)

Keys As Services

From A Shared Secret

From A JWK Object

From A X509 Certificate File

From A X509 Certificate

From A PKCS#1/PKCS#8 Key File

From A Key In A Key Set

Custom Tags

Checker Manager Factory Services

Checker Manager Services

Custom Header Or Claim Checker

Custom Tags

JWS Serializer Manager Factory Service

JWS Builder Factory Service

JWS Builder As Service

Custom Tags

JWS Verifier Factory Service

JWE Serializer Manager Factory Service

JWE Serializer Manager As Service

Custom Tags

JWE Builder Factory Service

JWE Builder As Service

Custom Tags

JWE Decrypter Factory Service

JWE Decrypter As Service

Custom Tags

JWE Loader Service

Installation

Installation

Algorithms

Installation

How To Use

Algorithm Manager

Algorithm Manager Factory

Algorithm Manager Factory Service

Custom Algorithm

PBES2-* Algorithms

JWS Serializer Manager Factory Service

JWS Serializer Manager As Service

Custom Tags

Header Checker Manager

Header Checker Manager Factory

Custom Header Checker

Claim Checker Manager

Custom Claim Checker

Replicating Claims as Header Parameters

Claim Checker Manager Factory

Checker Manager Factory Services

Checker Manager Services

Custom Header Or Claim Checker

Custom Tags

JWS Builder Factory Service

JWS Builder As Service

Custom Tags

JWS Verifier Factory Service

Installation

JWK

JWKSet

JWS Verifier As Service