/** * @param string $jwt The JWT * @param string|null $key The secret key * @param bool $verify Don't skip verification process * * @return object The JWT's payload as a PHP object * * @throws DomainException thrown when $verify is true and no algorithm is present in the header * @throws UnexpectedValueException thrown on any error while decoding */ public static function decode($jwt, $key = null, $verify = true) { $tks = explode('.', $jwt); if (count($tks) != 3) { throw new UnexpectedValueException('Wrong number of segments'); } list($headb64, $payloadb64, $cryptob64) = $tks; if (null === ($header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64)))) { throw new UnexpectedValueException('Invalid segment encoding'); } if (null === ($payload = JWT::jsonDecode(JWT::urlsafeB64Decode($payloadb64)))) { throw new UnexpectedValueException('Invalid segment encoding'); } $sig = JWT::urlsafeB64Decode($cryptob64); if ($verify) { if (empty($header->alg)) { throw new DomainException('Empty algorithm'); } if ($sig != JWT::sign($headb64 . '.' . $payloadb64, $key, $header->alg)) { throw new UnexpectedValueException('Signature verification failed'); } } return $payload; }