> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Integrate JWT (JSON Web Token) validation within your PHP application to parse, verify and validate tokens.

# PHP: Validating JWTs (JSON Web Tokens) with Auth0-PHP

The Auth0 PHP SDK provides a `Auth0\SDK\Token` class used for processing <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JSON+Web+Tokens">JSON Web Tokens</Tooltip> (JWT). It enables you to decode, validate and verify tokens for use by your application. More information on JWTs and how to build and decode them can be found [jwt.io](https://jwt.io/).

The class can process both HS256 and RS256 tokens. Both types require the algorithm and valid audiences to be configured with the SDK before processing. HS256 tokens require the <Tooltip tip="Client Secret: Secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable." cta="View Glossary" href="/docs/glossary?term=client+secret">client secret</Tooltip> to be configured. RS256 tokens require an authorized issuer, which is used to fetch a JWKs file during the decoding process. ([More about signing algorithms here](https://auth0.com/blog/navigating-rs256-and-jwks/).)

## Prerequisites

The documentation below assumes that you followed the steps in the [PHP getting started guide](/docs/libraries/auth0-php), and continue off from the code provided there.

## Example Usage

The following is an example of a small, URL-based JSON Web Token processor based on the SDK's `Token` class.

```php lines expandable
<?php

// Import the Composer Autoloader to make the SDK classes accessible:
require 'vendor/autoload.php';

// Load our environment variables from the .env file:
(Dotenv\Dotenv::createImmutable(__DIR__))->load();

$token = filter_var($_GET['token'] ?? null, FILTER_UNSAFE_RAW, FILTER_NULL_ON_FAILURE);
$algorithm = filter_var($_GET['algorithm'] ?? 'HS256', FILTER_UNSAFE_RAW, FILTER_NULL_ON_FAILURE);

if ($token === null) {
    die('No `token` request parameter.');
}

if (! in_array($algorithm, ['HS256', 'RS256'])) {
    die('Invalid `algorithm` supplied.');
}

// The Auth0 SDK includes a helpful token processing utility we'll leverage for this:
$token = new \Auth0\SDK\Token([
    'domain' => $env['AUTH0_DOMAIN'],
    'clientId' => $env['AUTH0_CLIENT_ID'],
    'clientSecret' => $env['AUTH0_CLIENT_SECRET'],
    'tokenAlgorithm' => $algorithm
], $token, \Auth0\SDK\Token::TYPE_ID_TOKEN);

// Verify the token: (This will throw an \Auth0\SDK\Exception\InvalidTokenException if verification fails.)
$token->verify();

// Validate the token claims: (This will throw an \Auth0\SDK\Exception\InvalidTokenException if validation fails.)
$token->validate();

echo '<pre>';
print_r($token->toArray(), true);
echo '</pre>';
```

Both `verify()` and `validate()` offer a number of options arguments that can be used to customize their behavior, including validating <Tooltip tip="Nonce: Arbitrary number issued once in an authentication protocol to detect and prevent replay attacks." cta="View Glossary" href="/docs/glossary?term=nonce">nonce</Tooltip> claims, restricting maximum time since a token's `auth_time`, `leeway` clock tolerance for time checks, and more. These methods are fully commented for review of these options either via the source code or your IDE of choice.

## Learn more

* [PHP: Logging in, out, and returning user profiles with Auth0-PHP](/docs/libraries/auth0-php/auth0-php-basic-use)
* [PHP: Using the Authentication API with Auth0-PHP](/docs/libraries/auth0-php/using-the-authentication-api-with-auth0-php)
* [PHP: Using the Management API with Auth0-PHP](/docs/libraries/auth0-php/using-the-management-api-with-auth0-php)
* [PHP: Troubleshooting your Auth0-PHP integration](/docs/libraries/auth0-php/troubleshoot-auth0-php-library)
