Installation & Requirements
Flytachi JWT has a tiny footprint — two standard PHP extensions and nothing else. This page covers the requirements and how to produce the keys you’ll sign with.
System requirements
- PHP version — 8.1 or higher.
- Operating system — any. There are no POSIX dependencies, so Linux, macOS, BSD, and Windows all work.
- PHP extensions
ext-openssl— signing/verifying RSA and ECDSA tokens, and converting JWKS keys to usable public keys.ext-json— encoding and decoding the token’s header and payload segments.
Check installed extensions with php -m.
composer require flytachi/jwtNo extra runtime dependencies
The library requires only ext-openssl and ext-json — both ship with virtually
every PHP build. The JWKS parser builds PEM keys in pure PHP, so there’s nothing
else to install.
Choosing an algorithm
Which keys you need depends on the algorithm family. See the algorithms reference for the full matrix.
| Family | Key type | When to use |
|---|---|---|
HMAC (HS*) |
one shared secret string | Same party signs and verifies (your own API). |
RSA (RS*) |
private + public key pair | You sign; others verify with your public key. |
ECDSA (ES*) |
private + public key pair | Same as RSA, with smaller keys and signatures. |
HMAC: just a secret
For HS256/HS384/HS512 there are no files to generate — you need a single
strong secret string, shared by signer and verifier. Generate one with:
# 32 random bytes, base64-encoded
openssl rand -base64 32Keep the secret secret
With HMAC the same key both signs and verifies. Anyone who has it can mint valid tokens — store it like a password (environment variable, secrets manager), never in source control.
RSA: generate a key pair
# Private key (used to sign)
openssl genrsa -out private.pem 2048
# Public key (used to verify) — derive it from the private key
openssl rsa -in private.pem -pubout -out public.pemLoad them in PHP with OpenSSL:
use Flytachi\Jwt\Entity\PrivateKey;
use Flytachi\Jwt\Entity\PublicKey;
$signingKey = new PrivateKey(
openssl_pkey_get_private(file_get_contents('private.pem')),
'RS256',
'my-key-id' // kid — required so decode() can find the matching public key
);
$verifyKey = new PublicKey(
openssl_pkey_get_public(file_get_contents('public.pem')),
'RS256'
);ECDSA: generate a key pair
ECDSA uses named curves — P-256 for ES256, P-384 for ES384, P-521 for
ES512:
# ES256 uses the prime256v1 (P-256) curve
openssl ecparam -name prime256v1 -genkey -noout -out ec-private.pem
openssl ec -in ec-private.pem -pubout -out ec-public.pemLoading is identical to RSA — pass the OpenSSL key object and the matching
algorithm (ES256). See the asymmetric keys guide
for full sign/verify examples.
Never commit private keys
private.pem and ec-private.pem sign tokens on your behalf. Add them to
.gitignore and load them from a secure path or secret store at runtime.
Next steps
- Quickstart — sign and verify your first token
- Mental model — what a JWT actually is
- HMAC tokens — the simplest end-to-end flow