JSON Web TokenJSON Web Token
Home
Documentation
GitHub
  • English
  • 简体中文
Home
Documentation
GitHub
  • English
  • 简体中文
  • Introduction

    • Installation
    • Supported Algorithms
  • Usage

    • Configuration
    • Issuing tokens
    • Parsing tokens
    • Validating tokens
  • Guides

    • Extending the library

Validating tokens

To validate a token you must create a new validator (easier when using the Configuration) and assert or validate a token.

Using Validator#assert()

Warning You MUST provide at least one constraint, otherwise \Token\JWT\Exceptions\NoConstraintsException exception will be thrown.

This method goes through every single constraint in the set, groups all the violations, and throws an exception with the grouped violations:

use Token\JWT\Exceptions\RequiredConstraintsViolated;
use Token\JWT\Key;
use Token\JWT\Signature\None;
use Token\JWT\Factory;
use Token\JWT\Validation\Constraint\IdentifiedBy;
use Token\JWT\Validation\Constraint\SignedWith;

$factory = Factory::forSymmetricSigner(
    new None(),
    Key::empty()
);

//$jwt = $factory->builder()
//    ->identifiedBy(10000)
//    ->getToken($factory->signer(), $factory->signingKey())
//    ->toString();

$token = $factory->parser()->parse($jwt);

$factory->setValidationConstraints(
    new SignedWith($factory->signer(), $factory->signingKey()),
    new IdentifiedBy(10001)
);

$constraints = $factory->validationConstraints();

try {
    $factory->validator()->assert($token, ...$constraints);
} catch (RequiredConstraintsViolated $e) {
    // list of constraints violation exceptions:
    var_dump($e->violations());
}

var_dump($token->toString());

Using Validator#validate()

Warning You MUST provide at least one constraint, otherwise \Token\JWT\Exceptions\NoConstraintsException exception will be thrown.

The difference here is that we'll always a get a boolean result and stop in the very first violation:

use Token\JWT\Key;
use Token\JWT\Signature\Hmac\HS256;
use Token\JWT\Factory;
use Token\JWT\Validation\Constraint\IdentifiedBy;
use Token\JWT\Validation\Constraint\SignedWith;

$algorithm  = new HS256();
$signingKey = Key::plainText(random_bytes(32));

$factory = Factory::forSymmetricSigner(
    $algorithm,
    $signingKey
);

$jwt = $factory->builder()
    ->identifiedBy(10000)
    ->getToken($factory->signer(), $factory->signingKey())
    ->toString();

$token = $factory->parser()->parse($jwt);

$factory->setValidationConstraints(
    new SignedWith($factory->signer(), $factory->signingKey()),
    new IdentifiedBy(10000)
);

$constraints = $factory->validationConstraints();

if (!$factory->validator()->validate($token, ...$constraints)) {
    throw new RuntimeException('No way!');
}

var_dump($token->toString());

Available constraints

This library provides the following constraints:

  • Token\JWT\Validation\Constraint\IdentifiedBy: verifies if the claim jti matches the expected value
  • Token\JWT\Validation\Constraint\IssuedBy: verifies if the claim iss is listed as expected values
  • Token\JWT\Validation\Constraint\PermittedFor: verifies if the claim aud contains the expected value
  • Token\JWT\Validation\Constraint\RelatedTo: verifies if the claim sub matches the expected value
  • Token\JWT\Validation\Constraint\SignedWith: verifies if the token was signed with the expected signer and key
  • Token\JWT\Validation\Constraint\ValidAt: verifies the claims iat, nbf, and exp (supports leeway configuration)

You may also create your Validation constraints.

Last Updated:: 4/16/25, 4:45 PM
Contributors: jundayw
Prev
Parsing tokens