JWTAlgorithm uses ConstantsTrait
Defines supported JSON Web Token (JWT) signing algorithms.
Each constant represents a standard algorithm identifier as defined by RFC 7518.
- Symmetric (HMAC) – single shared secret key for both signing and verifying:
- HS256 — HMAC using SHA-256
- HS384 — HMAC using SHA-384
- HS512 — HMAC using SHA-512
- Asymmetric (RSA) – private key signs, public key verifies:
- RS256 — RSASSA-PKCS1-v1_5 using SHA-256
- RS384 — RSASSA-PKCS1-v1_5 using SHA-384
- RS512 — RSASSA-PKCS1-v1_5 using SHA-512
- Asymmetric (RSA-PSS) – enhanced padding scheme:
- PS256 — RSASSA-PSS using SHA-256 and MGF1 with SHA-256
- PS384 — RSASSA-PSS using SHA-384 and MGF1 with SHA-384
- PS512 — RSASSA-PSS using SHA-512 and MGF1 with SHA-512
- Optional / Other:
- NONE — no digital signature or MAC
Symmetric algorithms use a shared secret and are generally simpler to implement, but asymmetric algorithms are recommended for production because they allow key rotation and separation of issuer and verifier responsibilities.
Helper methods:
isSymmetric(string $alg)— returns true for HMAC algorithmsisAsymmetric(string $alg)— returns true for RSA, RSA-PSS, or ECDSA algorithms
Tags
Table of Contents
Constants
- HS256 = 'HS256'
- HS256 — HMAC using SHA-256.
- HS384 = 'HS384'
- HS384 — HMAC using SHA-384.
- HS512 = 'HS512'
- HS512 — HMAC using SHA-512.
- NONE = 'none'
- No digital signature or MAC.
- PS256 = 'PS256'
- PS256 — RSASSA-PSS using SHA-256 and MGF1 with SHA-256.
- PS384 = 'PS384'
- PS384 — RSASSA-PSS using SHA-384 and MGF1 with SHA-384.
- PS512 = 'PS512'
- PS512 — RSASSA-PSS using SHA-512 and MGF1 with SHA-512.
- RS256 = 'RS256'
- RS256 — RSASSA-PKCS1-v1_5 using SHA-256.
- RS384 = 'RS384'
- RS384 — RSASSA-PKCS1-v1_5 using SHA-384.
- RS512 = 'RS512'
- RS512 — RSASSA-PKCS1-v1_5 using SHA-512.
Methods
- isAsymmetric() : bool
- Returns true if the given algorithm is asymmetric.
- isSymmetric() : bool
- Returns true if the given algorithm is symmetric.
Constants
HS256
HS256 — HMAC using SHA-256.
public
mixed
HS256
= 'HS256'
A symmetric algorithm that uses a single shared secret key for both signing and verifying JWTs.
Commonly used for simplicity when both the issuer and verifier run in the same trusted environment.
HS384
HS384 — HMAC using SHA-384.
public
mixed
HS384
= 'HS384'
Similar to HS256 but using a larger SHA-384 hash, providing stronger cryptographic security.
HS512
HS512 — HMAC using SHA-512.
public
mixed
HS512
= 'HS512'
Uses SHA-512 hash for maximum cryptographic strength in symmetric signing scenarios.
NONE
No digital signature or MAC.
public
mixed
NONE
= 'none'
PS256
PS256 — RSASSA-PSS using SHA-256 and MGF1 with SHA-256.
public
mixed
PS256
= 'PS256'
An asymmetric algorithm using the RSA-PSS padding scheme, offering stronger cryptographic security than RS256.
PS384
PS384 — RSASSA-PSS using SHA-384 and MGF1 with SHA-384.
public
mixed
PS384
= 'PS384'
Provides enhanced security over PS256 by using SHA-384 hash.
PS512
PS512 — RSASSA-PSS using SHA-512 and MGF1 with SHA-512.
public
mixed
PS512
= 'PS512'
Maximum cryptographic strength for RSA-PSS signing.
RS256
RS256 — RSASSA-PKCS1-v1_5 using SHA-256.
public
mixed
RS256
= 'RS256'
An asymmetric algorithm using a private key to sign and a public key to verify the JWT.
Recommended for production; allows key rotation and separation of issuer and verifier.
RS384
RS384 — RSASSA-PKCS1-v1_5 using SHA-384.
public
mixed
RS384
= 'RS384'
Similar to RS256 but uses SHA-384 hash for stronger security.
RS512
RS512 — RSASSA-PKCS1-v1_5 using SHA-512.
public
mixed
RS512
= 'RS512'
Similar to RS256 but uses SHA-512 hash for maximum cryptographic strength.
Methods
isAsymmetric()
Returns true if the given algorithm is asymmetric.
public
static isAsymmetric(string $algorithm) : bool
Parameters
- $algorithm : string
-
JWT algorithm name (e.g. "RS256")
Return values
boolisSymmetric()
Returns true if the given algorithm is symmetric.
public
static isSymmetric(string $algorithm) : bool
Parameters
- $algorithm : string
-
JWT algorithm name (e.g. "HS256")