v0.3.0 2021-08-11 21:27 UTC

This package is auto-updated.

Last update: 2024-07-14 06:00:31 UTC


Build Status Latest Stable Version Latest Unstable Version License Downloads

Protect your code from being impacted by issue 351 in firebase/php-jwt.


First, install this library with Composer:

composer require paragonie/php-jwt-guard

And then in your PHP namespace imports, swap the namespace:

- use Firebase\JWT\JWT;
+ use ParagonIE\PhpJwtGuard\JWT;

You're no longer going to provide an array or ArrayAccess object to JWT. You will instead need to use the provided KeyRing class.

use ParagonIE\PhpJwtGuard\KeyRing;
use ParagonIE\PhpJwtGuard\JWT;

// Setup keyring:
$keyring = (new KeyRing())
    ->withHS256('key-id-foo', 'raw-key-data-goes-here')
    ->withHS384('key-id-bar', 'raw-key-data-goes-here-too')
    // ...
    ->withPS384('key-id-xyzzy', 'raw-key-data-goes-here-too')
    ->withPS512('key-id-thud', 'raw-key-data-goes-here-too');

// Pass it to JWT Dcode:
JWT::decode($jwt, $keyring, array($allowedAlgs));

Using the KeyRing class

KeyRing->with($alg, $keyId, $rawKeyData)


  1. string $alg - The algorithm this key is intended for
  2. string $keyId - The kid header that maps to this key
  3. string $rawKeyData - The actual key material. For asymmetric keys, this is usually PEM-encoded.

Returns the KeyRing object. Chainable.


Returns an integer.



  1. string $alg - The algorithm this key is intended for

Returns a new KeyRing object with a subset of all supported keys.