JWT Authentication

Hello, I can’t seem to get the JWT authentication to work.

My middleware.php contains this entry. I am trying to use a custom header: “stoken”

$app->add(new \Tuupola\Middleware\JwtAuthentication([
“path” => “/api”, /* or ["/api", “/admin”] */
“secret” => “secretkey”,
“header” => “stoken”,
“algorithm” => [“HS256”],
“callback” => function ($request, $response, $arguments) use ($container) {
$container[“jwt”] = $arguments[“decoded”];
“error” => function ($request, $response, $arguments) {
$data[“status”] = “error”;
$data[“message”] = $arguments[“message”];
return $response
->withHeader(“Content-Type”, “application/json”)
->write(json_encode($data, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT));

In settings.php - I added this entry at the bottom:

// jwt settings
“jwt” => [
‘secret’ => ‘secretkey’

And in the routes.php, for successful login I added:

$settings = $this->get(‘settings’);
$token = JWT::encode([‘id’ => $usr->user_id, ‘email’ => $usr->email_address], $settings[‘jwt’][‘secret’], “HS256”);
return $this->response->withJson([‘token’ => $token]);

So the login returns a 200 response, and dumps the token:

Login Success

So that’s good. Then in the next call (a Java program) I am attempting to set the token (hard coding it for now):

conn.setRequestProperty(“stoken”, “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjEwMDAxMyIsImVtYWlsIjoiam9lMTFAeWFob28uY29tIn0.6I9GMf2tX9YzMiaAIXptcDqUfYssqqB5ZMb7w9AWEhw”);

But I get a 500 error.

In this slim php there is no Error log information.

As per the documentation I have an entry for displayErrorDetails:

$configuration = [
‘settings’ => [
‘displayErrorDetails’ => true,

I don’t see any ERROR in app.log or know why it is failing. Any ideas?


Would not you have forgotten the regex since you have customized the token header in “stoken”?
If I remember correctly, you have to attach a logger to have a little more log.
These are just some tracks but it may be able to help you.

Which regex do you refer to?

1 Like

In the README (https://github.com/tuupola/slim-jwt-auth)

By default the middleware assumes the value of the header is in Bearer <token> format. You can change this behaviour with regexp parameter. For example if you have custom header such as X-Token: <token> you should pass both header and regexp parameters.

$app = new Slim\App;

$app->add(new Tuupola\Middleware\JwtAuthentication([
    "header" => "X-Token",
    "regexp" => "/(.*)/",
    "secret" => "supersecretkeyyoushouldnotcommittogithub"

Ok I have added regexp as above. However still getting the 500 error.

I can’t see any ERROR in the app.log. Tried creating a logger but no file is being created. Any tips on how I can get the details of the 500 error?


you can set php parameter at the beginning of your index.php

I’ve just test your configuration. and it works perfectly

you can get the code on this repo : https://github.com/elaugier/testSTOKEN

i use these requests to test (first to get the token, second, to check the 401, third, check that’s work.

GET http://localhost:8080/token

GET http://localhost:8080/api

GET http://localhost:8080/api
Accept: application/json
Stoken: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjkwMTEzNTcsImp0aSI6IjEwMDJkZjJjLTcwMTktMTFlOC04MjBhLTgwZmE1YjUzMzcxMyIsImlzcyI6e30sIm5iZiI6MTUyOTAxMTM1NywiZXhwIjoxNTI5MDE0OTU3LCJkdGEiOnsiaWQiOjEsImVtYWlsIjoiam9obmRvZUBkb21haW4uY29tIn19.MVBT3ArKdCZfENj3G6zsKxKTu1jNR9KIMe5Oe23t5Aunp7GTJlJMmHfJjRPmV3d0Hyu5JHXCp_dYV8xa8-ndEA

I have been at this for hours and it is not logging a thing for 500 Errors. I am using WAMP server on windows. The log directory is C:\WAMP64\logs.
Nothing is getting logged into php_error.log.

I am using the default php.ini file. All the error logging and reporting is set ON. In my index.php file I have at the top:

ini_set(‘display_errors’, 1);

I restart the server and hit a secure URL. I get 500, null. And nothing to see in the Error log.

I have also tried setting up a logger for JWT - pointing it to: …/logs/jwt.log.

Again nothing is getting logged.

I can’t help on this point… I’m using PHP Builtin server when I develop an application (to avoid to have to troubleshoot the web server instead of solve issues in my code).
Have you test your code with the php builtin server ?

You’re hitting a secure URL with WAMP? I’ve never used TLS with WAMP; just used unsecured HTTP urls in dev