JWT token creation

Why doesn’t this work. In PHP 7.3
I get error: The Token’s Signature resulted invalid when verified using the Algorithm: HmacSHA256

<?php define("API_KEY", "my API Key"); define ("API_SECRET", "my AOI Secret"); $header = '{"alg":"HS256","typ":"JWT"}'; $payload = '{"iss":"' . API_KEY . '","exp":' . (time() + 50) . '}'; $signature = hash_hmac("sha256", base64url_encode($header) . "." . base64url_encode($payload), API_SECRET, true); $token = base64url_encode($header) . "." . base64url_encode($payload) . "." . $signature; $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_URL => "https://api.zoom.us/v2/users", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => array( "authorization: Bearer " . $token, "content-type: application/json" ), )); $response = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($err) { echo "cURL Error #:" . $err; } else { echo $response; } function base64url_encode($data) { // Encode $data to Base64 string $b64 = base64_encode($data); // Valid result? Otherwise, return FALSE, as the base64_encode() function does if ($b64 === false) { return false; } // Convert Base64 to Base64URL by replacing "+" with "-" and "/" with "_" $url = strtr($b64, '+/', '-_'); // Remove padding character from the end of line and return the Base64URL result return rtrim($url, '='); } function base64url_decode($data, $strict = false) { // Convert Base64URL to Base64 by replacing "-" with "+" and "_" with "/" $b64 = strtr($data, '-_', '+/'); // Decode Base64 string and return the original data return base64_decode($b64, $strict); } ?>

In your call to hash_hmac, the last argument should be False, not True. Your code generates a proper JWT with that change:

1 Like

It did not work for me with false. I got the error I reported at the beginning of my post.
What works for me is to have true in the call to hash_hmac to get the signature, then base64url encode that when composing the token. I figured that out from reading the code in one of the jwt.io packages.
Lloyd

Hey @laeggan,

Can you please private message me your JWT Key and I will take a look?

Thanks,
Tommy

Please don’t bother.
As I said, it now works fine for me.
Thanks.

1 Like

Happy to hear it’s working! :slight_smile:

-Tommy

Hello Llyod,
I am running into the same issue that you initially experienced. Do you mind sharing the final version of the working code?