How do I integrate tuupola/slim-jwt-auth with a framework like Laravel that doesn't use PSR standards natively?

You'll need to ensure your Laravel setup supports PSR-7 and PSR-15 via packages like laminas-diactoros or similar. Otherwise, consider a Laravel-specific JWT package for easier integration.

Can this middleware handle OAuth 2.0 or OpenID Connect authentication?

No, it only validates JWT tokens and doesn't implement OAuth 2.0 flows. You'd need a separate OAuth server or service for token issuance and authorization grants.

What's the difference between tuupola/slim-jwt-auth and firebase/php-jwt?

tuupola/slim-jwt-auth is a middleware layer built on firebase/php-jwt, adding HTTP integration, route protection, and PSR compatibility. firebase/php-jwt is a lower-level library for encoding/decoding JWTs without framework hooks.

How to customize error responses when a JWT token is invalid or expired?

Use the 'error' callback parameter to define custom logic, such as returning JSON error messages with specific HTTP status codes, as demonstrated in the README examples.

Is it safe to use tuupola/slim-jwt-auth in production since it's abandoned?

While it was well-designed, the lack of maintenance means no security updates or bug fixes. For production, consider migrating to the recommended replacement, jimtools/jwt-auth, or another actively maintained library.

How do I handle token refresh with this middleware?

The middleware doesn't support token refresh natively. You'll need to implement a separate endpoint or logic to issue new tokens and manage expiration, using the validated claims from the current token.

Slim JWT Auth — PSR-7/15 JWT Middleware for PHP

What is Slim JWT Auth?

tuupola/slim-jwt-auth is a PHP middleware that handles JSON Web Token authentication for applications using PSR-7 and PSR-15 standards. It validates JWT tokens from HTTP headers or cookies, enabling secure API access without implementing a full authentication server. It solves the problem of adding standardized, framework-agnostic JWT protection to PHP web services.

Target Audience

PHP developers building RESTful APIs or web applications with frameworks like Slim or Zend Expressive that need JWT-based authentication middleware.

Value Proposition

Developers choose this middleware for its strict adherence to PSR standards, making it interoperable across frameworks, and its focused design that handles only token validation—keeping it lightweight and flexible for integration into existing authentication flows.

PSR-7 and PSR-15 JWT Authentication Middleware

Use Cases

Best For

Adding JWT authentication to Slim Framework APIs
Securing Zend Expressive applications with token-based access
Protecting specific API routes with configurable path rules
Implementing custom authorization logic based on JWT claims
Developing microservices that require PSR-compliant middleware
Building stateless authentication for PHP REST APIs

Not Ideal For

Projects needing a complete authentication system with token generation and user management
Teams requiring active maintenance, regular updates, and long-term support
Applications built on non-PSR compliant or legacy PHP frameworks
New developments where future-proofing and community adoption are priorities

Pros & Cons

Pros

PSR Standards Compliance

Works with any PHP framework supporting PSR-7 and PSR-15 middleware interfaces, ensuring broad interoperability and ease of integration.

Flexible Token Extraction

Supports tokens from Authorization headers, custom headers, and cookies, with configurable regex patterns for parsing, as shown in the 'header' and 'regexp' options.

Fine-Grained Route Control

Allows specifying protected routes and exceptions via 'path' and 'ignore' parameters, enabling targeted authentication without affecting public endpoints.

Extensible Lifecycle Hooks

Provides 'before', 'after', and 'error' callbacks for custom request/response handling and logging, documented with examples for customization.

Cons

Abandoned Project

Officially marked as abandoned with no future updates or security patches, redirecting users to a replacement package (jimtools/jwt-auth), which poses risks for production use.

Incomplete Authentication Solution

Only handles token validation and parsing, leaving token generation, storage, and refresh mechanisms to be implemented separately, increasing development overhead.

Security Configuration Pitfalls

Requires careful setup to avoid vulnerabilities, such as enabling both HS256 and RS256 algorithms, which is warned against in the README as a security risk.

Frequently Asked Questions

What is Slim JWT Auth?

Target Audience

PHP developers building RESTful APIs or web applications with frameworks like Slim or Zend Expressive that need JWT-based authentication middleware.

Value Proposition

Use Cases

Best For

Adding JWT authentication to Slim Framework APIs
Securing Zend Expressive applications with token-based access
Protecting specific API routes with configurable path rules
Implementing custom authorization logic based on JWT claims
Developing microservices that require PSR-compliant middleware
Building stateless authentication for PHP REST APIs

Not Ideal For

Projects needing a complete authentication system with token generation and user management
Teams requiring active maintenance, regular updates, and long-term support
Applications built on non-PSR compliant or legacy PHP frameworks
New developments where future-proofing and community adoption are priorities

Pros & Cons

Pros

PSR Standards Compliance

Works with any PHP framework supporting PSR-7 and PSR-15 middleware interfaces, ensuring broad interoperability and ease of integration.

Flexible Token Extraction

Supports tokens from Authorization headers, custom headers, and cookies, with configurable regex patterns for parsing, as shown in the 'header' and 'regexp' options.

Fine-Grained Route Control

Allows specifying protected routes and exceptions via 'path' and 'ignore' parameters, enabling targeted authentication without affecting public endpoints.

Extensible Lifecycle Hooks

Provides 'before', 'after', and 'error' callbacks for custom request/response handling and logging, documented with examples for customization.

Cons

Abandoned Project

Officially marked as abandoned with no future updates or security patches, redirecting users to a replacement package (jimtools/jwt-auth), which poses risks for production use.

Incomplete Authentication Solution

Only handles token validation and parsing, leaving token generation, storage, and refresh mechanisms to be implemented separately, increasing development overhead.

Security Configuration Pitfalls

Requires careful setup to avoid vulnerabilities, such as enabling both HS256 and RS256 algorithms, which is warned against in the README as a security risk.

Frequently Asked Questions

Slim JWT Auth

What is Slim JWT Auth?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

Slim JWT Auth

What is Slim JWT Auth?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?