use Firebase\JWT\JWT;
use Firebase\JWT\Key;
define('TOROB_PUBLIC_KEY', 'MCowBQYDK2VwAyEAt6Mu4T0pBORY11W+QeM35UsmLO3vsf+6yKpFDEImFk0=');
define('TOROB_PUBLIC_KEY_SEED', base64_encode(substr(base64_decode(TOROB_PUBLIC_KEY), -32)));
function verify($jwt): object {
// exp is checked by library but we should check aud manually
$decoded = JWT::decode($jwt, new Key(TOROB_PUBLIC_KEY_SEED, 'EdDSA'));
if ($decoded->aud !== "[expected_aud_value]") { // Replace with your API hostname
throw new \Exception("Invalid audience");
}
return $decoded;
}import io.jsonwebtoken.*;
import io.jsonwebtoken.io.Decoders;
import java.security.*;
import java.security.spec.*;
public class JwtVerifier {
private final JwtParser parser;
public JwtVerifier() throws NoSuchAlgorithmException, InvalidKeySpecException {
final var publicKeyString = "MCowBQYDK2VwAyEAt6Mu4T0pBORY11W+QeM35UsmLO3vsf+6yKpFDEImFk0=";
KeySpec keySpec = new X509EncodedKeySpec(Decoders.BASE64.decode(publicKeyString));
PublicKey publicKey = KeyFactory.getInstance("EdDSA").generatePublic(keySpec);
// aud and exp fields are checked by library
parser = Jwts.parser()
.requireAudience("[expected_aud_value]") // Replace with your API hostname
.verifyWith(publicKey)
.build();
}
public Jws verifyToken(String token) {
return parser.parseSignedClaims(token);
}
}{
"header": {"alg": "EdDSA", "typ": "JWT", "v": 1},
"payload": {"aud": "api.example.com", "exp": 1730206744, "nbf": 1730206000}
}-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAt6Mu4T0pBORY11W+QeM35UsmLO3vsf+6yKpFDEImFk0=
-----END PUBLIC KEY-----
