This method checks for the existence of a key within the JWT payload. If the key is 'identity', it checks the top-level 'identity' claim. For all other keys, it checks within the nested 'data' claim.

Parameters

Parameter	Type	Description
`$key`	`string`	the key to check for

get

Retrieves a value from the storage.

public get(string $key): mixed

If the key is 'identity', the identity data is returned. Otherwise, the value associated with the key in the data array is returned.

Parameters

Parameter	Type	Description
`$key`	`string`	the key of the value to retrieve

set

Sets a value in the JWT payload.

public set(string $key, mixed $value): void

This method stores a key-value pair in the 'data' section of the JWT payload. It specifically prevents overwriting the 'identity' key, which is reserved. If a value is successfully set, it flags the middleware to write the cookie.

Parameters

Parameter	Type	Description
`$key`	`string`	the key to set in the payload
`$value`	`mixed`	the value to store

Unsets a value from the storage.

public (string $key): void

This method removes the value associated with the specified key from the storage. Note that the 'identity' key is protected and cannot be unset.

Parameters

Parameter	Type	Description
`$key`	`string`	the key of the value to unset

clear

Clears the JWT storage.

public clear(): void

This method checks if the storage is not empty. If it contains data, it resets the internal data to null and sets a flag on the middleware to clear the associated cookie.

getToken

Generates a JWT token and optionally a refresh token.

public getToken(): void

This method constructs the JWT payload by merging existing data with standard claims such as issuer ('iss'), issued at ('iat'), expiration ('exp'), and subject ('sub'). It then builds the primary access token.

If a refresh timeout is configured, it also generates a refresh token with an extended expiration time, signed with a specific refresh token key.

Additionally, this method disables the middleware's cookie writing functionality to ensure the token is returned directly rather than set as a cookie.

refresh

Refreshes the JWT token.

public refresh(string $refreshToken, ?array $JWTRefreshBody): ?string

Parameters

Parameter	Type	Description
`$refreshToken`	`string`
`$JWTRefreshBody`	`array`

loadCryptoKey

Loads a cryptographic key from configuration or file.

private loadCryptoKey(string $name, array $cacheList): ?string

Parameters

Parameter	Type	Description
`$name`	`string`	the name of the key in the configuration
`$cacheList`	`array`	reference to the cache list for loaded keys

validateToken

Validates a JWT token.

private validateToken(string $token, ?array $JWTBody, ?string $passphrase): bool

This method decodes the token, verifies its structure, and validates the signature using the configured public or private key. It supports RS, ES, and PS algorithms. It also checks standard claims like 'iss' (issuer) and 'exp' (expiration).

Parameters

Parameter	Type	Description
`$token`	`string`	the JWT token string to validate
`$JWTBody`	`array`	reference variable to store the decoded JWT body if validation is successful
`$passphrase`	`string`	optional passphrase for the private key (currently unused in implementation)

checkToken

Checks for a valid JWT token in various locations and attempts to authenticate the user.

private checkToken(): bool

This method looks for a JWT token in the following order:

Internal class property ($this->token).
HTTP Authorization header (Bearer token).
'hazaar-auth-token' cookie.

If a valid token is found and validated, the user identity and data are populated. If the primary token is missing or invalid, it attempts to use a refresh token stored in the 'hazaar-auth-refresh' cookie to obtain a new session.

buildToken

Builds a JWT token with the given JWT body and passphrase.

private buildToken(array $JWTBody, ?string $passphrase): string

Parameters

Parameter	Type	Description
`$JWTBody`	`array`	the body of the JWT token
`$passphrase`	`string`	The passphrase to sign the JWT token. Defaults to null.

buildRefreshTokenKey

Builds a unique key for the refresh token based on the client's fingerprint.

private buildRefreshTokenKey(string $passphrase): string

This method generates a SHA-256 HMAC hash using the provided passphrase and a fingerprint constructed from the user agent string. If the 'fingerprintIP' configuration option is enabled, the client's IP address is also appended to the fingerprint to bind the token to a specific location.

Parameters

Parameter	Type	Description
`$passphrase`	`string`	the secret passphrase used to sign the hash

getAlgoName

Parses the algorithm name and extracts the algorithm type and bit length.

private getAlgoName(string $alg, ?int $bits): ?string

This method validates the provided algorithm string against supported types (HS, RS, ES, PS) and bit lengths (256, 384, 512). If valid, it populates the reference variable $bits with the bit length and returns the algorithm prefix.

Parameters

Parameter	Type	Description
`$alg`	`string`	The algorithm string to parse (e.g., 'HS256', 'RS512').
`$bits`	`int`	[out] Reference variable to store the extracted bit length (256, 384, or 512)

getAlgoConst

Retrieves the OpenSSL algorithm constant based on the specified number of bits.

private getAlgoConst(int $bits): int

This method maps the bit length (256, 384, or 512) to the corresponding OpenSSL SHA algorithm constant.

Parameters

Parameter	Type	Description
`$bits`	`int`	The number of bits for the algorithm (e.g., 256, 384, 512).

sign

Signs the JWT token.

private sign(array $JWTHeader, array $JWTBody, ?string $passphrase): string

Parameters

Parameter	Type	Description
`$JWTHeader`	`array`	the header of the JWT token
`$JWTBody`	`array`	the body of the JWT token
`$passphrase`	`string`

Generated by Hazaar API Doc Generator on Wed, 07 Jan 2026 11:29:59 +0000