> ## Documentation Index
> Fetch the complete documentation index at: https://auth0-fix-docs-5528-php-updates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Integrate JWT (JSON Web Token) validation within your PHP application to parse, verify and validate tokens.

# Validate JWTs (JSON Web Tokens)

export const ReleaseStageNotice = ({feature, stage, plans, contact, terms}) => {
  const stageTextMap = {
    "beta": "Beta",
    "ea": "Early Access"
  };
  const stageText = stageTextMap[stage] || "a product release stage";
  const prsLink = "/docs/troubleshoot/product-lifecycle/product-release-stages";
  const linkify = (text, url) => {
    return <a href={url} target="_blank" rel="noreferrer" class="link">{text}</a>;
  };
  const includeDetails = (plans, contact, terms) => {
    const hasDetails = terms || plans || contact;
    if (!hasDetails) return null;
    return <span data-as="p">
            {plans && <>This feature is available for {linkify(`${plans} plans`, "https://auth0.com/pricing")}. </>}
            {contact && "To participate, contact " + contact + ". "}
            {terms && <>By using this feature, you agree to the applicable Free Trial terms in Okta's {linkify("Master Subscription Agreement", "https://www.okta.com/legal")}.</>}
        </span>;
  };
  return <Warning>
            <span data-as="p">
                <strong>The {feature} feature is in {linkify(stageText, prsLink)}.</strong>
            </span>

            {includeDetails(plans, contact, terms)}
        </Warning>;
};

<ReleaseStageNotice feature="Auth0 PHP SDK v9" stage="beta" />

The Auth0 PHP SDK provides a `Auth0\SDK\Token` class used for processing <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JSON+Web+Tokens">JSON Web Tokens</Tooltip> (JWT). It enables you to decode, validate and verify tokens for use by your application. More information on JWTs and how to build and decode them can be found [jwt.io](https://jwt.io/).

The class can process both HS256 and RS256 tokens. Both types require the algorithm and valid audiences to be configured with the SDK before processing. HS256 tokens require the <Tooltip tip="Client Secret: Secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable." cta="View Glossary" href="/docs/glossary?term=client+secret">client secret</Tooltip> to be configured. RS256 tokens require an authorized issuer, which is used to fetch a JWKs file during the decoding process. ([More about signing algorithms here](https://auth0.com/blog/navigating-rs256-and-jwks/).)

## Prerequisites

The documentation below assumes that you followed the steps in the [PHP getting started guide](/docs/libraries/auth0-php), and continue off from the code provided there.

## Example Usage

The following is an example of a small, URL-based JSON Web Token processor based on the SDK's `Token` class.

```php lines expandable theme={null}
<?php

// Import the Composer Autoloader to make the SDK classes accessible:
require 'vendor/autoload.php';

// Load our environment variables from the .env file:
(Dotenv\Dotenv::createImmutable(__DIR__))->load();

$token = filter_var($_GET['token'] ?? null, FILTER_UNSAFE_RAW, FILTER_NULL_ON_FAILURE);
$algorithm = filter_var($_GET['algorithm'] ?? 'HS256', FILTER_UNSAFE_RAW, FILTER_NULL_ON_FAILURE);

if ($token === null) {
    die('No `token` request parameter.');
}

if (! in_array($algorithm, ['HS256', 'RS256'])) {
    die('Invalid `algorithm` supplied.');
}

// The Auth0 SDK includes a helpful token processing utility we'll leverage for this:
$configuration = new \Auth0\SDK\Configuration\SdkConfiguration([
    'strategy'       => \Auth0\SDK\Configuration\SdkConfiguration::STRATEGY_NONE,
    'domain'         => $env['AUTH0_DOMAIN'],
    'clientId'       => $env['AUTH0_CLIENT_ID'],
    'clientSecret'   => $env['AUTH0_CLIENT_SECRET'],
    'tokenAlgorithm' => $algorithm,
]);

$token = new \Auth0\SDK\Token($configuration, $token, \Auth0\SDK\Token::TYPE_ID_TOKEN);

// Verify the token: (This will throw an \Auth0\SDK\Exception\InvalidTokenException if verification fails.)
$token->verify();

// Validate the token claims: (This will throw an \Auth0\SDK\Exception\InvalidTokenException if validation fails.)
$token->validate();

echo '<pre>';
print_r($token->toArray(), true);
echo '</pre>';
```

Both `verify()` and `validate()` offer a number of options arguments that can be used to customize their behavior, including validating <Tooltip tip="Nonce: Arbitrary number issued once in an authentication protocol to detect and prevent replay attacks." cta="View Glossary" href="/docs/glossary?term=nonce">nonce</Tooltip> claims, restricting maximum time since a token's `auth_time`, `leeway` clock tolerance for time checks, and more. These methods are fully commented for review of these options either via the source code or your IDE of choice.

## Learn more

* [PHP: Logging in, out, and returning user profiles with Auth0-PHP](/docs/libraries/auth0-php/auth0-php-basic-use)
* [PHP: Using the Authentication API with Auth0-PHP](/docs/libraries/auth0-php/using-the-authentication-api-with-auth0-php)
* [PHP: Using the Management API with Auth0-PHP](/docs/libraries/auth0-php/using-the-management-api-with-auth0-php)
* [PHP: Troubleshooting your Auth0-PHP integration](/docs/libraries/auth0-php/troubleshoot-auth0-php-library)
