FireJWT

config.ini

[FireJWT]
;##########################
; JSON-Web-Token settings
;##########################
expiration = 2592000
;##################: Method 1: HMAC SHA512
algorithm = HS512
private_key = 123456abcdef

;##################: Method 2: RSA SHA256 with 2048bit private key
;algorithm = RS256
; openssl genrsa -aes256 -out jwt.pem 2048
;private_key = app/jwt.pem
; openssl rsa -in jwt.pem -pubout > jwt.pub
;public_key = app/jwt.pub
;private_key_pass = secret

firejwt.php

<?php

/**
 *  F3 Firebase JsonWebToken engine
 *
 *  The contents of this file are subject to the terms of the GNU General
 *  Public License Version 3.0. You may not use this file except in
 *  compliance with the license. Any of the license terms and conditions
 *  can be waived if you get permission from the copyright holder.
 *
 *  Copyright (c) 2017 by ikkez
 *  Christian Knuth <mail@ikkez.de>
 *
 *  @version 1.0.3
 *  @date 20.04.2017
 */

class FireJWT extends \Prefab {

	protected $private_key;
	protected $public_key;

	/**
	 * @var array
	 */
	protected $opt;

	/** @var \Base */
	protected $f3;

	function __construct($configKey = 'FireJWT') {
		$this->f3 = \Base::instance();

		$this->opt = $this->f3->extend($configKey,[
			// in seconds
			'expiration' => 3600,
			// refresh offset in seconds
			'refresh' => 604800, // 1 week
			// 'HS256', 'HS384', 'HS512', 'RS256'
			'algorithm' => 'HS256',
			'private_key' => '',
			'private_key_pass' => '',
			'public_key' => '',
			// in seconds
			'not_before' => 0,
			'issuer' => $this->f3->HOST,
			'audience' => $this->f3->HOST,
		]);

		if ($this->opt['algorithm'] == 'RS256') {
			if (!empty($this->opt['public_key']))
				$this->public_key = openssl_pkey_get_public('file://'.$this->opt['public_key']);
			if (!empty($this->opt['private_key']))
				$this->private_key = openssl_pkey_get_private('file://'.$this->opt['private_key'], $this->opt['private_key_pass']);
		} else {
			$this->private_key = $this->public_key = $this->opt['private_key'];
		}
	}

	/**
	 * generate new token
	 * @param string $sub
	 * @param array $meta
	 * @return string
	 */
	function generateToken($sub,$meta=NULL) {
		$jwt=[
			// the issuer of the token
			'iss'=>$this->opt['issuer'],
			// the audience of the token
			'aud'=>$this->opt['audience'],
			// the time the JWT was issued. Can be used to determine the age of the JWT
			'iat'=>time(),
			// defines the time before which the JWT MUST NOT be accepted for processing
			'nbf'=>time()+$this->opt['not_before'],
			// this will define the expiration in NumericDate value. The expiration MUST be after the current date/time.
			'exp'=>time()+$this->opt['expiration'],
			// subject of the token
			'sub'=>$sub,
		]+($meta?:[]);
		return \Firebase\JWT\JWT::encode($jwt,$this->private_key,$this->opt['algorithm']);
	}

	/**
	 * decode and verify a token
	 * @param $token
	 * @return bool|object
	 */
	function decodeToken($token) {
		try {
			return \Firebase\JWT\JWT::decode($token,$this->public_key,[$this->opt['algorithm']]);
		} catch (\Exception $e) {
			if ($e instanceof \Firebase\JWT\ExpiredException) {
				return 'expired';
			} else
				return FALSE;
		}
	}

	/**
	 * decode token from request header
	 * @return bool|object|string
	 */
	function getRequestToken() {
		$out = false;
		if (
			$this->f3->exists('HEADERS.Authorization', $auth) ||
			$this->f3->exists('SERVER.REDIRECT_HTTP_AUTHORIZATION', $auth)
		) {
			$jwt=str_replace('Bearer ','',$auth);
			if (strlen($jwt) > 1)
				$out = $this->decodeToken($jwt);
		}
		return $out;
	}

	/**
	 * check for token expiration
	 * @param $token
	 * @return bool
	 */
	function refreshToken($token) {
		return ($token->iat + $this->opt['refresh']) < time();
	}
}

That's an easy gist to build into it's own package. Nice and simple :)