Today we will develop an API (Application Programming Interface) application via Laravel and provide security through JWT.

So what is JWT primarily? Let’s address this issue.


JWT is a Token format standardized by the IETF organization. Detailed information about the standard can be found here. Among the JWT communication systems (eg Mobile, Web, Cloud, IoT, etc.), user identification, verification, and information security, etc. matter.

The Structure of JWT

JWT is composed of 3 separate parts encoded in Base64. These parts are ‘.’ separated by. Separated by “. These parts are:

  • Header
  • Payload
  • Signature


This is where JWT’s cookies are located. The standard is defined as follows.

"alg": "HS256",
"typ": "JWT"

Alg : Where it determines the Cryptographic Algorithm for JWT. Supported Algorithms vary depending on the language you use. You can review supported Algorithms via

Typ : Indicates that the Header type used is JWT.


Although there are some standards here, it is the part that contains the data we want to carry in general. To mention some standard keys;

  • iss (issuer): Publisher
  • sub (subject): Subject
  • exp (expiration time): Expiration date
  • nbf (not before time): Before this Date
  • iat (issued at the time): Created on

We’ll be talking about these areas in the future, as many of the standard switches available are much more than enough.


This is the part where the Key is used to create the JWT. The header is encrypted with the specified encryption method.


Except for the signature part of the JWT you produce, the data can be read in it. Simply decode the Base64. But you cannot make any changes to the information in the content because the key will become unusable.

JWT Advantages

Since they are stateless, database operations are not required for users’ information.

  • Session management can be done without in-house cookies.
  • A single switch can operate on multiple servers.
  • Database and so on are much faster because no operations are performed.

JWT Drawbacks

  • If your secret key is not strong enough, it can be easily manipulated.
  • There is no way to override the server-side because they are stateless. (We can prevent it from working with several methods.)

In general, we talked about JWT. Now let’s examine how it works on a simple Laravel API. Generally, two different libraries are used:

  • firebase / PHP-jwt
  • Tymon / jwt-auth

We will use “tymon / jwt-auth üzerinde on our application. We are primarily involved with Composer in our project.

composer require tymon/jwt-auth:1.0.0

At Medianova, we are developing the project with Laravel 6, which will be explained in section 5.4 and above. After installing the package through Artisan CLI

php artisan vendor:publish --provider="TymonJWTAuthProvidersLaravelServiceProvider"

You will then see jwt.php in app/config/ Then we proceed to the step of setting the password for JWT. Again via the terminal

php artisan jwt:secret

After that, the JWT_SECRET key will be created in your .env file. Since it is a sample application, we will describe it as if there is a database connection. There will be no difference as you can run through your model if you want, which will tell you through the User model that comes as standard. First of all, we make the following changes on /App/User.php.

use TymonJWTAuthContractsJWTSubject;

...class User extends Authenticatable implements JWTSubject{

public function getJWTIdentifier()


return $this->getKey();


public function getJWTCustomClaims()


return [];



after these changes, our model file should look like this;

 hbspt.cta.load(6512256, '96b2ccc6-49a1-425b-adf9-de1537a41e43', {}); 
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors