Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
    I am going to make SPA with larvel and angular js some one here can give me some suggestions from there experience and also using JWT for authentication
    Victor Karanja
    I'm working with a SPA with Laravel and AngularJS, it's awesome, I'm using and angularjs package called satellizer which stores the JWT token once a user is authenticated in the localstorage of the browser or as a cookie depending on your preference and sends it's out with every request made to the Laravel API
    Victor Karanja
    You can monitor authentication based on the JWT token that's stored using the package, it keeps track of the token and you check if the token has expired with $auth.isAuthenticated() and fire an event like pop up a modal asking them to login again or redirect the user to the login page
    Hi guys I have a jwt token setup and im passing through some custom claims like the associated user roles and permission there name and there avatar image... The user could fall under a few permissions though or may have a lot of associated roles.. I am worried about the custom claims bit becoming to big as I have seen warnings that it shouldnt be. So my question is what is the best practice on the size of the custom claims
    Brian Singer
    Well. The limit of a rest request header is 8KB in most cases so you can to keep it below that if you use it with rest calls
    Otherwise 8KB is extremely big. I would say 1KB max
    Thibaut Vincent
    Hi, I'm currently using JWT when some routes. When i'm using a specific route, sometimes after 1 time, sometimes after a few times, the token is suddenly invalid. Everytime I send an api-request the token get refreshed. Does someone know how to solve this?

    Hi, I'm current using the latest commit (dev-develop 821625d).. I'm currently unable to use custom claims. Anyone else have this issue?

    $credentials = $request->only(['email', 'password']);
            if ($company != '') {
                $customClaims = ['context' => ['user' => [ 'email' => $request->email ], 'company' => ['name' => $company]]];
            try {
                if (!$token = JWTAuth::attempt($credentials, $customClaims)) {
                    throw new UnauthorizedHttpException('Invalid email/password');
            } catch (JWTException $e) {
                return $this->response->errorInternal('Token Generation Error');

    Authentication works fine and a token is generated however the custom claims are not present within the token.

    In version 1.* JWTAuth::attempt no longer accepts a second parameter.. I was able to resolve my issue via JWTFactory..
            if ($company != '') {
                $customClaims = ['user' => [ 'email' => $request->email ], 'company' => ['name' => $company]];
            try {
                if (!$checkAuth = JWTAuth::attempt($credentials)) {
                    throw new UnauthorizedHttpException(trans('auth.invalid_credentials'));
                } else {
                    $payload = JWTFactory::context($customClaims)->make();
                    $token = JWTAuth::encode($payload);
            } catch (JWTException $e) {
                return $this->response->errorInternal(trans('auth.token_generation_error'));
            return $this->response->array(['token' => $token->get()]);
    Agustín Siles
    hi guys
    im using sails js
    and im trying to issue an access token and a refresh token and I have no idea how to create a refresh one, can anybody help me please?
    Javis V. Pérez
    Hello! i have a question regarding JWT, im using this package to handle my JWT tokens but im creating a new token on every request and blacklisting the previous, is that part of the JWT flow or im just doing some foolness?
    @javisperez If you have a requirement to issue a new token on every request, then it's fine. However, typically you should just rely on the expiration claim. https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.4
    Javis V. Pérez
    Oh great man, thank you @Benjman i dont know if i was doing the spected behavior or if i was just doing wrong things (apparently i was) thank you, ill rely on exp as you say, thank you.
    i just read this post http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ and would like some thoughts on it
    hi guys! I am building an iOS app with Laravel 5.3 as a backend using JWT auth. I can log into the app, and recieve the token, but I don't know am I supposed to store the JWT on the iOS client or will Laravel store the token in a session? How does the token persist?
    ok, I got the token persisting. I'm not sure how I can use it lol. Do I need to pass it with the url on each request?
    @Mapamatician Yes, you would typically add it to the header for each request.
    I got it eventually thanks
    what I'm struggling with now is logout. How can I invalidate a token?
    Meheret Egzerab
    Could someone please help me with autentication I am getting this error : UnauthorizedError: jwt expired.
    Swornim Shrestha
    How can I increase the time to expire the token?
    karunaker reddy
    I have separate Authentication app built with Jhipster and I want to share JWT token among multiple subdomains (multiple UI apps hosted under x.xyz.com, y.xyz.com, z.xyz.com). How can I share JWT token from authentication app to other apps
    René Goretzka
    hello.. when i safe a jwt for a user being logged in.. how do i get the user props from that user when he is already logged in and want to access some stuff? i want to get the userid or something like that?
    Is https://github.com/ojensen5115/jwtcrack still a vulnerability?
    Nice to join this room
    Does someone have a simple example login script in PHP that uses JWT ?
    Alexander Gaal


    I've got a question. I am using Angular in frontend and Laravel in backend, both are using jwt for tokens and our server uses http2. If I call my application several requests are started at the same time, when I refresh the token on the first request, the following requests are causing errors, because token is already invalid. Any solutions, except turning black list off?

    Hi, does anyone knows how i can generate v-model names in a v-for loops ?
    "<div class="form-group" v-for="drank in dranken">
    <input type="number" class="form-control" placeholder="Hoeveelheid" v-model="stocktelling.naam">
    the v-model should be generated to be different for every input
    oops wrong room
    Does anyone have a axios implementation example code which request jwt refresh ( if necessary ) before ajax call? Will be really helpful!
    Neeraj Dhiman
    Can someone help me on verifying keycloak access_token (which is JWT) ?
    Lihai Ben-Haim
    I have a question about the security of a system authentication by JWT
    what if someone could somehow crack a single jwt token of a user (using MITM for example)
    from now on, basically even if the user changes his password, the cracked JWT is already obtained
    lets say the secret private key is kept in the server and never replaced
    that means that once someone get the JWT token he will get access to the user's resources forever
    in session system, we are using a randomly generated id, so even if someone gets the sessionid, the system can somehow recover from it, deleting the sessions, generating new ones etc..
    Tasos Soukoulis
    Is it possible to roll my own jwt authentication on top of oauth2 ? Ex. Create user account using google/facebook oauth2 and then keep authentication using the jwt created by my server?
    Or it's wasteful?
    Ranie Santos

    Is it okay or is it a bad idea to add 'remember me' functionality when using JWT instead of sessions?

    I have a project using JWT and I've gotten it to work so far (expires every hour, can be refreshed up to 2 weeks). But right now I have a useless remember me checkbox on my login page.

    I'm trying to decide whether I should remove it or make it functional.

    I've been looking through the code and it seems refresh_ttl isn't found in any of the token's claims.

    The exp claim only refers to the regular ttl.

    So I can't use the getJWTCustomClaims method in the User model specified in the docs of the package.