How to use JWT and JWS for API authentication in PHP
In today's information age, API is no longer just a technology in the software development process, it has become an indispensable component in modern Web applications. Since API interfaces are vulnerable to attacks, security is one of the important considerations when developing APIs. JWT (JSON Web Token) and JWS (JSON Web Signature) are two authentication methods commonly used to secure APIs.
JWT is a JSON-based security token used to transmit information between communicating parties. It consists of three parts: header, payload and signature. The header describes the token type and algorithm, the payload contains the required information, and the signature is used to verify the authenticity of the token. When using JWT, this token will be used as the authentication token for API requests.
JWS is a standard for adding digital signatures to text strings. It allows messages to be transmitted securely in untrusted environments and ensures sender authentication and message integrity. JWS typically uses SHA-256 or SHA-512 algorithms to generate signatures.
In this article, we will explore how to use JWT and JWS in PHP for API authentication.
Step 1: Install dependencies
First, we need to install some dependencies to support JWT and JWS. Install the dependencies using the following command:
composer require firebase/php-jwt composer require lcobucci/jwt
Step 2: Generate JWT
Before using JWT, we need to generate the JWT first. The following is the PHP code used to generate the JWT:
use FirebaseJWTJWT;
// Set up the JWT payload data
$payload = array(
"sub" => "1234567890",
"name" => "John Doe",
"iat" => 1516239022
);
// Set up the JWT secret key
$secret_key = "YOUR_SECRET_KEY";
// Generate the JWT
$jwt = JWT::encode($payload, $secret_key);With this code, we successfully generated a JWT. In this code we set the headers, payload and signature. The header contains the type and algorithm of the JWT, the payload consists of the data we provide, such as user ID, username, etc., and the signature is used to verify the authenticity of the token.
Step 3: Verify the JWT
The next step is to verify the JWT. We need to use the following code to verify the JWT:
use FirebaseJWTJWT;
// Set up the JWT secret key
$secret_key = "YOUR_SECRET_KEY";
// Get the JWT from the request headers
$jwt = getAuthorizationHeader();
// Verify the JWT
try {
$payload = JWT::decode($jwt, $secret_key, array('HS256'));
} catch (Exception $e) {
// If the JWT is invalid, return an error response
return json_encode(array(
'success' => false,
'message' => 'Invalid JWT'
));
}
// If the JWT is valid, return a success response with the payload data
return json_encode(array(
'success' => true,
'message' => 'Valid JWT',
'payload' => $payload
));
// Function to get the Authorization header from the request
function getAuthorizationHeader()
{
$headers = apache_request_headers();
if (isset($headers['Authorization'])) {
return $headers['Authorization'];
} else {
return null;
}
}In this code, we use the JWT::decode() function to verify the JWT. If validation is successful, an object containing the JWT payload data will be returned, otherwise the caught exception will be returned with an error response.
Step 4: Generate JWS
Now that we have mastered how to generate and validate a JWT, we will learn how to use JWS to secure an API. The following is a PHP code snippet that generates JWS:
use LcobucciJWTBuilder;
use LcobucciJWTSignerHmacSha256;
// Set up the JWT signer
$signer = new Sha256();
// Set up the JWT builder
$builder = new Builder();
$builder->setIssuer('http://example.com');
$builder->setAudience('http://example.org');
$builder->setId('4f1g23a12aa', true);
$builder->setIssuedAt(time());
$builder->setExpiration(time() + 3600);
$builder->set('uid', 1);
// Sign the JWT
$token = $builder->sign($signer, 'YOUR_SECRET_KEY')->getToken();
// Get the token string
$jwt = (string) $token;Step 5: Verify JWS
The last step is to verify the JWS, we need to use the following code:
use LcobucciJWTValidationData;
// Set up the JWT secret key
$secret_key = "YOUR_SECRET_KEY";
// Get the JWT from the request headers
$jwt = getAuthorizationHeader();
// Verify the JWS
$token = $signer->loadToken($jwt);
$validationData = new ValidationData();
$validationData->setIssuer('http://example.com');
$validationData->setAudience('http://example.org');
$validationData->setId('4f1g23a12aa');
$validationData->setCurrentTime(time());
if (!$token->validate($validationData) || !$token->verify($signer, $secret_key)) {
// If the JWS is invalid, return an error response
return json_encode(array(
'success' => false,
'message' => 'Invalid JWS'
));
}
// If the JWS is valid, return a success response with the payload data
$payload = $token->getClaims();
return json_encode(array(
'success' => true,
'message' => 'Valid JWS',
'payload' => $payload
));In this paragraph In the code, we use the loadToken() method to load the JWT into the validator, use the validate() method to verify the content of the JWT, and use the verify() method to verify that the JWT signature is correct. Finally, we provide a valid response containing the data from the payload obtained from the JWS if the validation was successful.
Conclusion
Overall, using JWT and JWS for API authentication in PHP is very good practice. Using these techniques, we can ensure that the API is only accessed by authorized users and protect the API from malicious users. By following the above steps, we can easily implement this secure authentication in PHP.
The above is the detailed content of How to use JWT and JWS for API authentication in PHP. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1389
52
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
7 PHP Functions I Regret I Didn't Know Before
Nov 13, 2024 am 09:42 AM
If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
Explain late static binding in PHP (static::).
Apr 03, 2025 am 12:04 AM
Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.
What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases?
Apr 03, 2025 am 12:03 AM
What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.
