The JSON Web Token (JWT) Authentication module provides a Drupal authentication provider that uses JWTs as the primary factor of authentication.

What is a JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA.

More information here:


Download and install the JWT module as normal. JWT depends on the key module. Install it as normal as well.

JWT ships with its own composer.json and depends on a 3rd party PHP library firebase/php-jwt. You can use the composer_manager module to help install this library or your own composer workflow to download and install this library.

Signing and/or validating JWTs requires a secret. The JWT module leverages the key module to manage these secrets. Once everything is installed, you will need to create a new key at Manage > Configuration > System > Keys (admin/config/system/keys). Add a new or existing key there. Pick the correct key type for the algorithm you want to use:

  • JWT HMAC Key
  • JWT RSA Key


For the issuing and validating your own JWTs, we recommend a file-based key of 512 bits, base64 encoded. You can generate this key with the following command:

head -c 64 /dev/urandom | base64 -w 0 > /path/to/private/dir/jwt.key.txt


For the issuing and validating your own JWTs, we recommend a file-based key, using RSA with 2048 bits. You can generate this key with the following command:

openssl genrsa -out private.key 2048 > /path/to/private/dir/jwt.key.txt

Once you have created a key, navigate to Configuration > System > JWT Authentication (admin/config/system/jwt). Choose the key that you just created in the previous step.

Issuing JWTs

Issuing JWTs means providing tokens which have been signed with a secret key. These JWTs may contain arbitrary information like user ids, specific privileges, or anything serializable into JSON.

Out-of-the-box, the JWT module does not immediately provide a means for accessing created JWTs. If you need an API which is able to provide JWTs, you will need to enable the JWT Authentication Issuer module.

Once enabled, the Issuer module creates an endpoint at /jwt/token which will generate JWTs for the logged in user that accesses it.


Development is being done on GitHub using the pull request model. The GitHub can be found here:

This module is still an alpha release. That is, the API is still subject to change, but those with the resources to find, report, and (hopefully) fix bugs should consider developing against the module.

Supporting organizations: 

Project information