# Detached Payload As per the [RFC7519](https://tools.ietf.org/html/rfc7515#appendix-F),the payload of a JWS may be detached. This framework supports this feature. ## JWS Creation There is not much difference between the creation of a JWS with or without detached payload. The following example comes from the [JWS Creation page](/v3.0-1/the-components/signed-tokens-jws/jws-creation.md). There is only one argument that will change during the call of `withPayload`. ```php 'oct', 'k' => 'dzI6nbW4OcNF-AtfxGAmuyz7IpHRudBI0WgGjZWgaRJt6prBn3DARXgUR8NVwKhfL43QBIU2Un3AvCGCHRgY4TbEqhOi8-i98xxmCggNjde4oaW6wkJ2NgM3Ss9SOX9zS3lcVzdCMdum-RwVJ301kbin4UtGztuzJBeg5oVN00MGxjC2xWwyI0tgXVs-zJs5WlafCuGfX1HrVkIf5bvpE0MQCSjdJpSeVao6-RSTYDajZf7T88a2eVjeW31mMAg-jzAWfUrii61T_bYPJFOXW8kkRWoa1InLRdG6bKB9wQs9-VdXZP60Q4Yuj_WZ-lO7qV9AEFrUkkjpaDgZT86w2g', ]); // We instantiate our JWS Builder. $jwsBuilder = new JWSBuilder( $algorithmManager ); // The payload we want to sign $payload = json_encode([ 'iat' => time(), 'nbf' => time(), 'exp' => time() + 3600, 'iss' => 'My service', 'aud' => 'Your application', ]); $jws = $jwsBuilder ->create() // We want to create a new JWS ->withPayload($payload, true) // /!\ Here is the change! We set the payload and we indicate it is detached ->addSignature($jwk, ['alg' => 'HS256']) // We add a signature with a simple protected header ->build(); ``` And voilà! When you will serialize this token, the payload will not be present. ## JWS Loading The loading of a signed token with a detached payload is as easy as when the payload is attached. The only difference is that you have to pass the payload to the JWS Verifier when you want to check the signature. ```php 'oct', 'k' => 'dzI6nbW4OcNF-AtfxGAmuyz7IpHRudBI0WgGjZWgaRJt6prBn3DARXgUR8NVwKhfL43QBIU2Un3AvCGCHRgY4TbEqhOi8-i98xxmCggNjde4oaW6wkJ2NgM3Ss9SOX9zS3lcVzdCMdum-RwVJ301kbin4UtGztuzJBeg5oVN00MGxjC2xWwyI0tgXVs-zJs5WlafCuGfX1HrVkIf5bvpE0MQCSjdJpSeVao6-RSTYDajZf7T88a2eVjeW31mMAg-jzAWfUrii61T_bYPJFOXW8kkRWoa1InLRdG6bKB9wQs9-VdXZP60Q4Yuj_WZ-lO7qV9AEFrUkkjpaDgZT86w2g', ]); // The serializer manager. We only use the JWS Compact Serialization Mode. $serializerManager = new JWSSerializerManager([ new CompactSerializer(), ]); // We instantiate our JWS Verifier. $jwsVerifier = new JWSVerifier($algorithmManager); // The detached payload $payload = '{"iat":1507896992,"nbf":1507896992,"exp":1507900592,"iss":"My service","aud":"Your application"}'; // The input we want to check $token = 'eyJhbGciOiJIUzI1NiJ9..eycp9PTdgO4WA-68-AMoHPwsKDr68NhjIQKz4lUkiI0'; // We try to load the token. $jws = $serializerManager->unserialize($token); // We verify the signature. // /!\ The third argument is the detached payload. $jwsVerifier->verifyWithKey($jws, $jwk, $payload); ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://web-token.spomky-labs.com/v3.0-1/advanced-topics-1/signed-tokens-and/detached-payload.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.