Changelog

7.0.3 (2026-02-18)

Miscellaneous Chores

• add environment for Release Please job (#619) (300fd02)

7.0.2 (2025-12-16)

Bug Fixes

• add key length validation for ec keys (#615) (7044f9a)

7.0.0 (2025-12-15)

⚠️ ⚠️ ⚠️ Security Fixes ⚠️ ⚠️ ⚠️

• add key size validation (#613) (6b80341) NOTE: This fix will cause keys with a size below the minimally allowed size to break.

Features

• add SensitiveParameter attribute to security-critical parameters (#603) (4dbfac0)
• store timestamp in ExpiredException (#604) (f174826)

Bug Fixes

• validate iat and nbf on payload (#568) (953b2c8)

6.11.1 (2025-04-09)

Bug Fixes

• update error text for consistency (#528) (c11113a)

6.11.0 (2025-01-23)

Features

• support octet typed JWK (#587) (7cb8a26)

Bug Fixes

• refactor constructor Key to use PHP 8.0 syntax (#577) (29fa2ce)

6.10.2 (2024-11-24)

Bug Fixes

• Mitigate PHP8.4 deprecation warnings (#570) (76808fa)
• support php 8.4 (#583) (e3d68b0)

6.10.1 (2024-05-18)

Bug Fixes

• ensure ratelimit expiry is set every time (#556) (09cb208)
• ratelimit cache expiration (#550) (dda7250)

6.10.0 (2023-11-28)

Features

• allow typ header override (#546) (79cb30b)

6.9.0 (2023-10-04)

Features

• add payload to jwt exception (#521) (175edf9)

6.8.1 (2023-07-14)

Bug Fixes

• accept float claims but round down to ignore them (#492) (3936842)
• different BeforeValidException messages for nbf and iat (#526) (0a53cf2)

6.8.0 (2023-06-14)

Features

• add support for P-384 curve (#515) (5de4323)

Bug Fixes

• handle invalid http responses (#508) (91c39c7)

6.7.0 (2023-06-14)

Features

• add ed25519 support to JWK (public keys) (#452) (e53979a)

6.6.0 (2023-06-13)

Features

• allow get headers when decoding token (#442) (fb85f47)

Bug Fixes

• only check iat if nbf is not used (#493) (398ccd2)

6.5.0 (2023-05-12)

Bug Fixes

• allow KID of ‘0’ (#505) (9dc46a9)

Miscellaneous Chores

• drop support for PHP 7.3 (#495)

6.4.0 (2023-02-08)

Features

• add support for W3C ES256K (#462) (213924f)
• improve caching by only decoding jwks when necessary (#486) (78d3ed1)

6.3.2 (2022-11-01)

Bug Fixes

• check kid before using as array index (bad1b04)

6.3.1 (2022-11-01)

Bug Fixes

• casing of GET for PSR compat (#451) (60b52b7)
• string interpolation format for php 8.2 (#446) (2e07d8a)

6.3.0 / 2022-07-15

• Added ES256 support to JWK parsing (#399)
• Fixed potential caching error in CachedKeySet by caching jwks as strings (#435)

6.2.0 / 2022-05-14

• Added CachedKeySet (#397)
• Added $defaultAlg parameter to JWT::parseKey and JWT::parseKeySet (#426).

6.1.0 / 2022-03-23

• Drop support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0
• Add parameter typing and return types where possible

6.0.0 / 2022-01-24

• Backwards-Compatibility Breaking Changes: See the Release Notes for more information.
• New Key object to prevent key/algorithm type confusion (#365)
• Add JWK support (#273)
• Add ES256 support (#256)
• Add ES384 support (#324)
• Add Ed25519 support (#343)

5.0.0 / 2017-06-26

• Support RS384 and RS512. See #117. Thanks @joostfaassen!
• Add an example for RS256 openssl. See #125. Thanks @akeeman!
• Detect invalid Base64 encoding in signature. See #162. Thanks @psignoret!
• Update JWT::verify to handle OpenSSL errors. See #159. Thanks @bshaffer!
• Add array type hinting to decode method See #101. Thanks @hywak!
• Add all JSON error types. See #110. Thanks @gbalduzzi!
• Bugfix ‘kid’ not in given key list. See #129. Thanks @stampycode!
• Miscellaneous cleanup, documentation and test fixes. See #107, #115, #160, #161, and #165. Thanks @akeeman, @chinedufn, and @bshaffer!

4.0.0 / 2016-07-17

• Add support for late static binding. See #88 for details. Thanks to @chappy84!
• Use static $timestamp instead of time() to improve unit testing. See #93 for details. Thanks to @josephmcdermott!
• Fixes to exceptions classes. See #81 for details. Thanks to @Maks3w!
• Fixes to PHPDoc. See #76 for details. Thanks to @akeeman!

3.0.0 / 2015-07-22

• Minimum PHP version updated from 5.2.0 to 5.3.0.
• Add \Firebase\JWT namespace. See #59 for details. Thanks to @Dashron!
• Require a non-empty key to decode and verify a JWT. See #60 for details. Thanks to @sjones608!
• Cleaner documentation blocks in the code. See #62 for details. Thanks to @johanderuijter!

2.2.0 / 2015-06-22

• Add support for adding custom, optional JWT headers to JWT::encode(). See #53 for details. Thanks to @mcocaro!

2.1.0 / 2015-05-20

• Add support for adding a leeway to JWT:decode() that accounts for clock skew between signing and verifying entities. Thanks to @lcabral!
• Add support for passing an object implementing the ArrayAccess interface for $keys argument in JWT::decode(). Thanks to @aztech-dev!

2.0.0 / 2015-04-01

• Note: It is strongly recommended that you update to > v2.0.0 to address known security vulnerabilities in prior versions when both symmetric and asymmetric keys are used together.
• Update signature for JWT::decode(...) to require an array of supported algorithms to use when verifying token signatures.