Install the tymon/jwt-auth package; 2. Publish JWT configuration files; 3. Generate JWT keys and configure .env; 4. The user model implements the JWTSubject interface; 5. Set up JWT guard in the auth configuration; 6. Create a controller that includes login, logout, refresh and obtains user information; 7. Define routes in api.php and apply auth:api middleware; 8. Request protected routes through Authorization: Bearer <token> to complete the authentication process. The entire process needs to ensure that JWT_SECRET is secure and the input verification is strictly implemented, and finally implement stateless API authentication based on JWT in Laravel.

Implementing JWT (JSON Web Token) authentication in Laravel is a common requirement for building stateless APIs. Here's a clear, step-by-step guide using the popular tymon/jwt-auth package.

1. Install the JWT Package

First, install the tymon/jwt-auth package via Composer:

 composer requires tymon/jwt-auth

Note: For Laravel 10/9, make sure you're using a compatible version. As of recent versions, use ^2.1 .

2. Publish the Configuration File

Publish the JWT configuration file using Artisan:

 php artisan vendor:publish --provider="Tymon\JWTAuth\Providers\LaravelServiceProvider"

This creates a config/jwt.php file where you can customize token behavior (TTL, algorithm, etc.).

3. Generate the Secret Key

Generate a secret key for signing tokens:

 php artisan jwt:secret

This command adds a JWT_SECRET entry to your .env file — cruel for securing your tokens.

Example in .env :

 JWT_SECRET=your_generated_secret_key_here

4. Configure the User Model

Ensure your User model (usually App\Models\User ) implements the JWTSubject contract:

 <?php

namespace App\Models;

use Illuminate\Foundation\Auth\User as Authenticatable;
use Tymon\JWTAuth\Contracts\JWTSubject;

class User extends Authenticatable implements JWTSubject
{
    // ...

    /**
     * Get the identifier that will be stored in the subject claim of the JWT.
     */
    public function getJWTIdentifier()
    {
        return $this->getKey();
    }

    /**
     * Return a key-value array, containing any custom claims to be added to the JWT.
     */
    public function getJWTCustomClaims()
    {
        return [];
    }
}

5. Set Up Authentication Guards

Update config/auth.php to add a JWT guard:

 'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'jwt', // Use JWT driver for API
        'provider' => 'users',
    ],
],

Also, ensure your api routes use the api guard (this is often default in Laravel).

6. Create Authentication Controllers

Generate a controller to handle login, logout, refresh, and user details:

 php artisan make:controller AuthController

Add methods like:

 namespace App\Http\Controllers;

use App\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Tymon\JWTAuth\Exceptions\JWTEException;
use JWTAuth;

class AuthController extends Controller
{
    public function login(Request $request)
    {
        $credentials = $request->only('email', 'password');

        try {
            if (! $token = JWTAuth::attempt($credentials)) {
                return response()->json(['error' => 'Invalid credentials'], 401);
            }
        } catch (JWTException $e) {
            return response()->json(['error' => 'Could not create token'], 500);
        }

        return response()->json(compact('token'));
    }

    public function getAuthenticatedUser()
    {
        try {
            if (! $user = JWTAuth::parseToken()->authenticate()) {
                return response()->json(['user_not_found'], 404);
            }
        } catch (JWTException $e) {
            return response()->json(['error' => $e->getMessage()], $e->getStatusCode());
        }

        return response()->json(compact('user'));
    }

    public function logout()
    {
        JWTAuth::invalidate(JWTAuth::getToken());

        return response()->json(['message' => 'Successfully logged out']);
    }

    public function refresh()
    {
        $token = JWTAuth::refresh();

        return response()->json(['token' => $token]);
    }
}

7. Define API Routes

In routes/api.php :

 use App\Http\Controllers\AuthController;

Route::post('login', [AuthController::class, 'login']);
Route::middleware('auth:api')->group(function () {
    Route::get('me', [AuthController::class, 'getAuthenticatedUser']);
    Route::post('logout', [AuthController::class, 'logout']);
    Route::post('refresh', [AuthController::class, 'refresh']);
});

Now, protected routes require a valid JWT in the Authorization header:

 Authorization: Bearer <your-token-here>

8. Test the Flow

1. Login : POST /api/login with email and password → get token.
2. Access Profile : GET /api/me with Authorization: Bearer <token> → get user.
3. Refresh Token : POST /api/refresh → get new token.
4. Logout : POST /api/logout → invalidate current token.

Optional: Customize Token Expiry

Edit config/jwt.php :

 'ttl' => 60, // Token valid for 60 minutes
'refresh_ttl' => 20160, // Refreshable within 14 days

Notes & Security Tips

• Always use HTTPS in production.
• Store tokens securely on the client (eg, HttpOnly cookies or secure storage).
• Handle token expiration and refresh logic on the frontend.
• Consider rate-limiting login attempts.

Basically, that's it. JWT auth in Laravel with tymon/jwt-auth is straightforward once the setup steps are followed. Just remember to keep your JWT_SECRET safe and validate input rigorously.

The above is the detailed content of How to implement JWT authentication in Laravel?. For more information, please follow other related articles on the PHP Chinese website!