Signature verification failed in JWTverifier.php

Uncaught Auth0\SDK\Exception\CoreException: Signature verification failed in C:\Users…\laragon\www…\vendor\auth0\auth0-php\src\JWTVerifier.php:226

The examples that, even though truncated, appear to look the same so I don’t understand what is going on.

Fatal error : Uncaught Auth0\SDK\Exception\CoreException: Signature verification failed in C:\Users…\laragon\www\reviewchecked\vendor\auth0\auth0-php\src\JWTVerifier.php:226 Stack trace: #0 C:\Users…\laragon\www\reviewchecked\vendor\auth0\auth0-php\src\Auth0.php(654): Auth0\SDK\JWTVerifier->verifyAndDecode(‘eyJ0eXAiOiJKV1Q…’) #1 C:\Users…\laragon\www\reviewchecked\vendor\auth0\auth0-php\src\Auth0.php(556): Auth0\SDK\Auth0->setIdToken(‘eyJ0eXAiOiJKV1Q…’) #2 C:\Users…\laragon\www\reviewchecked\vendor\auth0\auth0-php\src\Auth0.php(458): Auth0\SDK\Auth0->exchange() #3 C:\Users…\laragon\www\reviewchecked\Login\index.php(19): Auth0\SDK\Auth0->getUser() #4 {main} thrown in C:\Users…\laragon\www\reviewchecked\vendor\auth0\auth0-php\src\JWTVerifier.php on line 226

Hey there @john8, I wanted to share this doc we have on validating JWTs with our auth0 PHP library which looks to be what you are leveraging.

Please take a look and let me know if it helps you in your quest. In the mean time I will continue searching for other possible solutions.


Thank you for getting back to me. I’m using the Auth0-PHP library so I don’t know how that is supposed to help. I actually don’t know why there arent more complaints like this. I even tried using the starter seed library and I am still getting the same error.

Fatal error : Uncaught Auth0\SDK\Exception\CoreException: Signature verification failed in JWTVerifier.php** on line 226

Following up @john8, after some investigation I found that someone is exhibiting a similar issue to you within the Github issues.

As our Senior Engineer suggests in the thread, can you share the configuration you’re using when initializing the Auth0 class removing any sensitive data. Is this a new application you’re building or is this happening with the latest version of the SDK in one that was working before? Thanks in advance!

Hi There. I found this thread looking entries for PHP JWTVerifier. I also faced this problem with the “Signature verification failed in” message.

I found that by default the JWTVerifier class has the supported algorithms setted to HS256:

protected $supported_algs = ['HS256'];

But the default algorithm when creating an API is RS256. The problem happens if you don’t manually change the algorithm to RS256, the program fails to run either because it says a secret is required (which you don’t have for RS256) or the signature fails when overriding that config.

Setting the $supported_algs variable to [‘RS256’] solves the problem and allows you to complete the token verification. I was stucked with this problem for a whole day, I hope it helps somebody :slight_smile: