Invalidation and Blacklisting of JWT Tokens in PHP Open-Source Saver with jwt-auth

Is it advisable to utilize the signature segment of a JWT token for barring invalidated tokens? Hopefully, this information benefits someone. I am currently engaged in implementing JWT Token authentication in Symfony.


On an Apache2 server, I established a Laravel 8.* project in PHP8.0 environment. Afterward, I integrated the latest

PHP-Open-Source-Saver / jwt-auth

repository and incorporated Middleware for validating the
jwt tokens
. Additionally, I added a JwtController that generates a
jwt token
upon login and refreshes it as needed.

Api requests
are authenticated with:

$user = JWTAuth::parseToken()->authenticate();

All aspects mentioned on the packaging were functioning properly, except for the




JWT Token

The keys for blacklisting in my jwt configuration are defined in the environment.


I attempted all of the methods listed below, giving each a try at least twice, following the provided instructions.

public function jwt_logout(Request $request)
    //get bearer token
    $token = $request->bearerToken();
    if (! isset($token) ) {
        return response()->json([
                'success' => false,
                'message' => 'Token is not set, please retry action or login.'
    //Invalidate and blacklist methods
    try {
        //JWTAuth::manager()->invalidate(new PHPOpenSourceSaverJWTAuthToken($token), $forceForever = true);
        return response()->json([
            'success' => true,
            'message' => 'User has been logged out'
    } catch (JWTException $exception) {
        return response()->json([
            'success' => false,
            'message' => 'Sorry, user cannot be logged out'
        ], Response::HTTP_INTERNAL_SERVER_ERROR);

Despite blacklisting a jwt token using the aforementioned method, any attempts to use it for authentication are successful without triggering a JWTBlacklistedException or any errors. The only scenario where authentication fails is when a
jwt token expires
is encountered.

Could anyone provide guidance on the process of both encoding and decoding a JWT token, specifically regarding






After conducting some research, I have discovered that the package has been configured to conceal any blacklist exceptions by default.

By setting


in my .env file, I was able to resolve the issue. Neglecting to review the package forum issues was my mistake.

Frequently Asked Questions

Posted in Php