kaabar-jwt/yii2-jwt The Yii2 JWT extension is a tool for implementing JWT (JSON Web Token) authentication in Yii2 applications. It allows develop... (see full description)

Kaabar JWT Auth Extension

The Yii2 JWT extension is a tool for implementing JWT (JSON Web Token) authentication in Yii2 applications. It allows developers to create APIs that require authentication and authorization, ensuring that only authorized users can access certain resources. The extension provides a simple and flexible way to implement JWT authentication in Yii2, using the JWT library and following the JWT specification. It includes support for creating and verifying JWT tokens, as well as handling token expiration and refresh. The Yii2 JWT extension can be easily integrated into any Yii2 application, making it a powerful tool for API authentication and authorization.

The preferred way to install this extension is through composer.

Either run

php composer.phar require --prefer-dist kaabar-jwt/yii2-jwt:dev-master

or add

"kaabar-jwt/yii2-jwt": "dev-master"

to the require section of your composer.json file.

Implementation Steps

  • Yii2 installed
  • An https enabled site is required for the HttpOnly cookie to work cross-site
  • Add JWT parameters in /config/params.php
return [
    'jwt' => [
        'issuer' => 'https://api.example.com',  //name of your project (for information only)
        'audience' => 'https://example.com',  //description of the audience, eg. the website using the authentication (for info only)
        'id' => 'AMqey0yAVrqmhR82RMlWB3zqMpvRP0zaaOheEeq2tmmcEtRYNj',  //a unique identifier for the JWT, typically a random string
        'expire' => '+1 hour',  //the short-lived JWT token is here set to expire after 1 Hours.
        'request_time' => '+1 minute',
        //'request_time' => '+5 seconds',
  • Add component in configuration in /config/web.php for initializing JWT authentication:
$config = [
    'components' => [
        'jwt' => [
            'class' => \kaabar\jwt\Jwt::class,
            'key' => 'SECRET-KEY',  //typically a long random string
  • Add the authenticator behavior to your controllers

  • For AuthController.php we must exclude actions that do not require being authenticated, like login, options (when browser sends the cross-site OPTIONS request).

public function behaviors() {
    $behaviors = parent::behaviors();

    $behaviors['authenticator'] = [
        'class' => \kaabar\jwt\JwtHttpBearerAuth::class,
        'except' => [

    return $behaviors;
  • Add the methods generateJwt() and generateRefreshToken() to AuthController.php. We'll be using them in the login/refresh-token actions. Adjust class name for your user model if different.
private function generateJwt(\app\models\User $user) {
    $jwt = Yii::$app->jwt;
    $signer = $jwt->getSigner('HS256');
    $key = $jwt->getKey();

    //use DateTimeImmutable;
    $now   = new DateTimeImmutable();
    $jwtParams = Yii::$app->params['jwt'];

    $token = $jwt->getBuilder()
        // Configures the issuer (iss claim)
        // Configures the audience (aud claim)
        // Configures the id (jti claim)
        ->identifiedBy($jwtParams['id'], true)
        // Configures the time that the token was issue (iat claim)
        // Configures the time that the token can be used (nbf claim)
        // Configures the expiration time of the token (exp claim)
        // Configures a new claim, called "uid"
        ->withClaim('uid', $user->id)
        // Builds a new token
        ->getToken($signer, $key);

    return $token->toString();
  • Add the login action to AuthController.php:
public function actionLogin() {
    $model = new \app\models\LoginForm();
    if ($model->load(Yii::$app->request->getBodyParams()) && $model->login()) {
        $user = Yii::$app->user->identity;

        $token = $this->generateJwt($user);
        return [
            'user' => $user,
            'token' => (string) $token,
        return $model;
1 0
1 follower
Yii Version: 2.0
License: MIT
Category: Auth
Developed by: cpjeslot
Created on: Jan 6, 2023
Last updated: (not set)
Packagist Profile
Github Repository

Related Extensions