Creating and Verifying JWT Signatures in PHP using HS256 and RS256

JSON Web Tokens (JWTs) are widely used these days for authentication purposes be it for the traditional session cookie tokens, API tokens or even OAuth 2.0 access tokens. Obviously the major benefit with JWTs is that the server doesn’t need to store the session data into it’s own memory or a separate file or database or a cache system (redis, memcached, etc.). Hence data is not “stored” anywhere nor do we have to read from or write to an external database or caching layer to fetch/store session information which becomes a bigger problem with scale (distributed data with load balancers, etc.). Although practically in most cases you’ll end up taking an ID from the JWT (server-side) and query the DB to get more information or at least validate it. So the last portion (around scale) isn’t really a benefit in the longer run but is still a point to make for a small/medium sized app which still has load balancers and multiple external databases and caching systems.

Continue reading Creating and Verifying JWT Signatures in PHP using HS256 and RS256