API Reference
Complete reference for every public class and method in Flytachi JWT. All classes live
under the Flytachi\Jwt namespace.
JWT
The façade for encoding and decoding. Two static methods, no state.
JWT::encode()
JWT::encode(JwtPayload $payload, PrivateKey $privateKey): stringBuilds the header from the key, signs header.payload, and returns the compact
header.payload.signature string.
| Parameter | Type | Description |
|---|---|---|
$payload |
JwtPayload |
The claims to encode. |
$privateKey |
PrivateKey |
Key material + algorithm (+ optional kid). |
Returns string — the encoded JWT. Throws JWTException if the algorithm is
unsupported, the key type doesn’t match the algorithm, or signing fails.
JWT::decode()
JWT::decode(string $token, array $publicKeys, int $leeway = 0): JwtPayloadSplits the token, selects the verifying key, checks the signature, and validates the time claims.
| Parameter | Type | Default | Description |
|---|---|---|---|
$token |
string |
— | The compact JWT string. |
$publicKeys |
array<string, PublicKey> |
— | Map of [kid => PublicKey]. For HS* the first entry is used and kid is ignored. |
$leeway |
int |
0 |
Seconds of clock-skew tolerance applied to exp/nbf/iat. |
Returns JwtPayload — the verified claims. Throws JWTException on wrong
segment count, unsupported/mismatched algorithm, missing or unknown kid, signature
failure, or a failed time claim. Any non-JWTException error thrown internally is
wrapped in a JWTException.
Key selection differs by family
For HS* tokens decode() uses reset($publicKeys) — the first key — and ignores
kid. For RS*/ES* it requires a kid in the header and looks it up in the map.
See Verifying with JWKS.
JWK
Parser that converts JSON Web Keys into PublicKey objects. Static methods only.
JWK::parseKeySet()
JWK::parseKeySet(array $jwksData): arrayParses a full JWKS document into a [kid => PublicKey] map.
| Parameter | Type | Description |
|---|---|---|
$jwksData |
array |
The decoded JWKS array — must contain a keys array. |
Returns array<string, PublicKey>. Entries without a kid, or that fail to parse,
are silently skipped. Throws InvalidArgumentException only if the top-level
keys array is missing.
JWK::parseKey()
JWK::parseKey(array $jwkData): PublicKeyConverts a single JWK object into a PublicKey.
kty |
Required fields | Notes |
|---|---|---|
RSA |
n, e |
Modulus and exponent (base64url). |
EC |
crv, x, y |
Curve P-256, P-384, or P-521. |
oct |
k |
Symmetric key value (base64url) for HS*. |
Every JWK must also include alg. Throws InvalidArgumentException for a missing
kty/alg/required field or an unsupported kty/curve, and RuntimeException if
OpenSSL can’t build the key.
JwtPayload
Value object holding a token’s claims.
new JwtPayload(array $claims)| Method | Signature | Description |
|---|---|---|
getClaim() |
getClaim(string $name, mixed $default = null): mixed |
Returns a claim, or $default if absent. |
toArray() |
toArray(): array |
Returns all claims as an associative array. |
JwtHeader
Value object for the token header. Built for you by encode() from the PrivateKey;
rarely constructed directly.
new JwtHeader(string $algorithm, ?string $keyId = null, array $extra = [])| Property | Type | Description |
|---|---|---|
$algorithm |
string |
Emitted as alg. |
$type |
string |
Emitted as typ; defaults to 'JWT'. |
$keyId |
?string |
Emitted as kid when not null. |
$extra |
array |
Extra header fields, merged into the output. |
toArray() returns the header as ['alg' => …, 'typ' => 'JWT', 'kid' => …] plus any
$extra.
PrivateKey
The signing key. Passed to encode().
new PrivateKey(
OpenSSLAsymmetricKey|string $keyMaterial,
string $algorithm,
?string $keyId = null
)| Parameter | Type | Description |
|---|---|---|
$keyMaterial |
OpenSSLAsymmetricKey | string |
A secret string for HS*; an OpenSSL private key object for RS*/ES*. |
$algorithm |
string |
e.g. HS256, RS256, ES256. |
$keyId |
?string |
The kid written into the header — required for asymmetric tokens. |
Getters: getAlgorithm(): string, getKeyMaterial(): OpenSSLAsymmetricKey|string,
getKeyId(): ?string.
PublicKey
The verifying key. Passed to decode() (in the $publicKeys map).
new PublicKey(
OpenSSLAsymmetricKey|string $keyMaterial,
string $algorithm = 'HS256'
)| Parameter | Type | Default | Description |
|---|---|---|---|
$keyMaterial |
OpenSSLAsymmetricKey | string |
— | A secret string for HS*; an OpenSSL public key object for RS*/ES*. |
$algorithm |
string |
'HS256' |
Must match the token’s alg or decode() throws. |
Getters: getAlgorithm(): string, getKeyMaterial(): OpenSSLAsymmetricKey|string.
JWTException
Extends \DomainException. The single exception type thrown by JWT::encode() and
JWT::decode() — one catch (JWTException $e) covers every token failure. (The JWK
parser throws standard InvalidArgumentException/RuntimeException instead.)
Related
- Algorithms — supported algorithms and key types
- Security model — how verification is hardened
- Working with claims — using
JwtPayload