explaingit

lcobucci/jwt

7,479PHPAudience · developerComplexity · 2/5Setup · easy

TLDR

A PHP library for creating, signing, and verifying JSON Web Tokens, the standard way to authenticate users across APIs without storing sessions, so any service can trust the same login.

Mindmap

mindmap
  root((lcobucci/jwt))
    What it does
      Create tokens
      Sign tokens
      Verify tokens
    JWT basics
      Claims payload
      Cryptographic signature
      URL-safe string
    Common use cases
      User authentication
      Stateless APIs
      Multi-service auth
    Setup
      Composer install
      Packagist registry
      Full docs on ReadTheDocs
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Issue a signed JWT when a user logs in so your API can verify identity on every request without hitting a database.

USE CASE 2

Share authentication state between multiple PHP microservices by verifying the same JWT token across all of them.

USE CASE 3

Build a stateless REST API where mobile and single-page app clients authenticate using tokens instead of cookies.

Tech stack

PHPComposer

Getting it running

Difficulty · easy Time to first run · 30min
No license information was mentioned in the explanation.

In plain English

This is a PHP library for creating, signing, and verifying JSON Web Tokens (JWTs) and JSON Web Signatures (JWS), following the RFC 7519 standard. JWTs are a widely used format for passing information between systems in a way that can be verified and trusted. The most common use case is user authentication: when someone logs in, a server issues a signed token, and the client includes that token in future requests to prove who they are, without the server needing to look up a session in a database each time. A JWT works by bundling a set of claims (pieces of information, like a user ID or an expiry time) into a compact, URL-safe string, then signing that string with a cryptographic key. Anyone who receives the token can verify the signature to confirm it was issued by a trusted source and has not been altered in transit. This approach is popular for APIs and single-page applications where multiple services need to trust the same authentication state. The library is installed via Composer, the standard PHP dependency manager. Once added to a project, it provides a structured API for building tokens with custom fields, applying signatures using supported algorithms, and validating incoming tokens. The README for this project is minimal and refers readers to the full documentation hosted on ReadTheDocs for usage examples, algorithm options, and configuration details. It is available via Packagist, the main PHP package registry, and has accumulated nearly 7,500 GitHub stars, reflecting wide adoption across the PHP ecosystem over several years.

Copy-paste prompts

Prompt 1
Using lcobucci/jwt in PHP, write code that creates a signed JWT containing a user ID and an expiry 24 hours from now, using an HMAC-SHA256 algorithm.
Prompt 2
Show me how to verify an incoming JWT string with lcobucci/jwt and extract the user ID claim, returning an error if the token is expired or has an invalid signature.
Prompt 3
I need to issue JWTs in one PHP service and verify them in a different PHP service. Using lcobucci/jwt, show how to share the key and validate the token on the receiving end.
Prompt 4
Walk me through adding lcobucci/jwt to a Laravel project and writing a middleware that checks for a valid Bearer token on every API request.
Prompt 5
Generate a JWT with lcobucci/jwt that includes custom claims like user role and subscription tier, then show how to read those claims back out after verification.
Open on GitHub → Explain another repo

← lcobucci on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.