As well as the signed tokens, the encrypted tokens also have unprotected header. But with one difference: there are two unprotected headers:
- Shared unprotected header applicable to all recipients.
- Per-recipient unprotected header.
With the example below, we will create an encrypted token for two recipient and some unprotected header parameters:
$jwe = $jweBuilder
->withSharedProtectedHeader(['enc' => 'A256GCM', 'alg' => 'A256KW'])
->withSharedHeader(['author' => 'John Doe'])
->addRecipient($recipient_public_key_1, ['message' => 'Hello World!'])
->addRecipient($recipient_public_key_2, ['description' => 'Nice song for you'])
$jwewill be a valid JWE object built for two recipients. The unprotected header parameter
authoris applicable to the whole token while
descriptionare available only for the first and second recipient respectively.
Note: when an unprotected header is set, the Compact Serialization mode is not available.