Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

mstdmstd's avatar

JWT Token Signature could not be verified error with external API login

Hello, In Laravel 5.8 / vuejs / vuex / mysql app I use jwt-auth and when I login into the system (standart auth with mysql users table) I use method :

export function setAuthorizationToken(token) {
    axios.defaults.headers.common["Authorization"] = `Bearer ${token}`
}

and it worked ok.

Next I remade SignUp/SignIn to use external API for SignUp/SignIn operations. So my app needs to make SignUp/SignIn with external API , but also I have requests for controls of my app to read/write data from/to mysql.

I remade SignIn request to external API with php curl in control action when user clicks SignIn button, like :

public function login(Request $request)
  {
      $credentials = $request->only('email', 'password');

 // I run login method
          $ch = curl_init();
          curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

          curl_setopt($ch, CURLOPT_URL, $this->admindashApi . '/api/login');
          curl_setopt($ch, CURLOPT_POST, 1);
          curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/json; charset=utf-8"));

          $userLoginData = [
              'email'    => $credentials['email'],
              'password' => $credentials['password'],
          ];
          curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($userLoginData));

          $resp = curl_exec($ch);

          $respArray = json_decode($resp);
          if ( isset($respArray->success) and empty($respArray->success)) { // login fails - return error in responce
              $err = curl_error($ch);
              curl_close($ch);

              $errorsArray     = [$respArray->data];
              $errors_message  = $respArray->data;

              return response()->json([
                  'error_code' => 1,
                  'message'    => $errors_message,
                  'errors'     => $errorsArray,
                  'rows_total' => 0,
              ], HTTP_RESPONSE_BAD_REQUEST /*HTTP_RESPONSE_INTERNAL_SERVER_ERROR*/);

          } //if ( isset($respArray->success) and empty($respArray->success)) { // login fail

          $logged_user_token = $respArray->data->token;
          // if login was successfull I keep token





           // I need to get details of the logged user
          $loggedUser= null;

          $ch = curl_init();
          curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

          curl_setopt($ch, CURLOPT_URL, $this->admindashApi . '/api/user');

          curl_setopt($ch, CURLOPT_HTTPHEADER, [
              "Content-Type: application/json; charset=utf-8",
              "Authorization: Bearer ".$logged_user_token
          ]);


          $resp = curl_exec($ch);

          $respArray = json_decode($resp);
          if ( isset($respArray->success) and empty($respArray->success)) { // details read fails - return error in responce
              $err = curl_error($ch);
              curl_close($ch);

              $errorsArray     = [$respArray->data];
              $errors_message  = $respArray->data;

              return response()->json([
                  'error_code' => 1,
                  'message'    => $errors_message,
                  'errors'     => $errorsArray,
                  'rows_total' => 0,
              ], HTTP_RESPONSE_BAD_REQUEST );

          } //if ( isset($respArray->success) and empty($respArray->success)) {
          $loggedUser= $respArray->data->customer_details;

//            $this->respondWithToken($logged_user_token);

          return response()->json(['error_code' => 0, 'message' => '', "token" => $logged_user_token, 'user'=> $loggedUser ], HTTP_RESPONSE_OK );
          // if user details read was successfull I return logged user

      }   // if( !empty($this->useAdmindashApi) and !empty($this->admindashApi)) {

But the problem is whe I read data from my mysql db with app controls, I got Token Signature could not be verified in console. I suppose that jwt-auth knows nothing about token I read from external API in $logged_user_token var. Is there is a way to write value from $logged_user_token to jwt-auth token in my control above ?

flow is:

  1. User open login page
  2. enter his credentials and run external api login request with user details
  3. on success in the system O keep token and logged user info
  4. user can open any app page, but some of them have search functionality
  5. When user select search criteria and click search axios request '/personal/search-results' is run with mentioned error

In routes/api.php I have search-results described

Route::group(['middleware' => 'jwt.auth',  'prefix' => 'personal', 'as' => 'personal.'], function ($router) {
    ...
    Route::post('search-results', 'SearchResultsController@remote_search_web');
    ...
});

and I got the error on first control method request like :

                axios.post(window.API_VERSION_LINK + '/personal/search-results', filters).then((response) => {
                    this.is_page_loaded = true
                    ...
                }).catch((error) => {
                    this.showPopupMessage("Search", error.response.data.message, 'error');
                    this.is_page_loaded = true
                    this.showRunTimeError(error, this);
                });

I search some simple method like JWT::UseThis stringAsToken($string), if it exists ...

Kubuntu 18
"laravel/framework": "5.8.*",
"tymon/jwt-auth": "^1.0.0",


"vue": "^2.5.17",
"axios": "^0.18",
"vuex": "^3.1.0"

Thanks!

0 likes
1 reply
mstdmstd's avatar

Reading jwt docs I found here https://github.com/tymondesigns/jwt-auth/wiki/Authentication :

Of course you can also manually set the token aswell, as needed if there are other entry points into your application. e.g.

JWTAuth::setToken('foo.bar.baz');

So In my login control when I recieved token from external API I wrote :

    $logged_user_token = $respArray->data->token;
    ...
    $loggedUser= $respArray->data->customer_details;
    \JWTAuth::setToken($logged_user_token);
    return response()->json(['error_code' => 0, 'message' => '', "token" => $logged_user_token, 'user'=> $loggedUser ], HTTP_RESPONSE_OK );

But running this login method and refering control's action when I read data from db I got the same error :

JWT Token Signature could not be verified.

I found method in vendor/tymon/jwt-auth/src/JWT.php :

    /**
     * Set the token.
     *
     * @param  \Tymon\JWTAuth\Token|string  $token
     *
     * @return $this
     */
    public function setToken($token)
    {
        $this->token = $token instanceof Token ? $token : new Token($token);

        return $this;
    }

and see that $token parameter can be Token or string and then it must be converted to Token object. But if I sent a string token from external API how have I render to it?

Does JWT has any apply/flash method to apply my new toaken to JWT ?

Please or to participate in this conversation.