Authentication Deep Dive 🔐

Implement secure login with JWT tokens, OAuth2 social login, and API token management in PHP.

What You'll Learn in This Lesson

• JWT structure: header, payload, signature
• Build a complete JWT login flow from scratch
• OAuth2 Authorization Code flow for social login
• Generate and validate API tokens with permissions
• Compare sessions, JWTs, and API tokens

Note: PHP runs on a server. Our examples simulate PHP logic using JavaScript. To run real PHP, install PHP.

🎯 Real-World Analogy: JWT is like a stamped hand at a concert — security checks the stamp (signature) without calling the ticket office every time. OAuth2 is like a valet key — you give the valet (third-party app) limited access to your car (data) without handing over your master key (password). API tokens are like employee ID badges — issued centrally, revocable anytime, with different access levels.

JWT Authentication

JWTs let you authenticate users without server-side sessions. The server signs a token containing user data, the client stores it, and sends it with every request. The server verifies the signature without hitting the database — perfect for stateless APIs and microservices.

Try It: JWT Authentication

Create, sign, and verify JWT tokens with claims and expiration

Try it Yourself »

JavaScript

// JWT Authentication from Scratch
console.log("=== JSON Web Tokens (JWT) ===");
console.log();
console.log("JWT = three Base64-encoded parts separated by dots:");
console.log("  HEADER.PAYLOAD.SIGNATURE");
console.log();

// Simulate JWT creation
function base64url(str) { return btoa(str).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_"); }

let header = { alg: "HS256", typ: "JWT" };
let payload = {
  sub: 42,
  name: "Alice",
  email: "alice@example.com",
  role: "admin",
  iat: Math.f
...

OAuth2 & API Tokens

OAuth2 enables "Login with Google/GitHub" by securely exchanging authorization codes for access tokens. API tokens provide persistent, revocable access for third-party integrations — each token can have specific permissions like read-only or full access.

Try It: OAuth2 & API Tokens

Walk through OAuth2 flow and build an API token manager

Try it Yourself »

JavaScript

// OAuth2 & API Token Authentication
console.log("=== OAuth2 Flow (Authorization Code) ===");
console.log();
console.log("Used when users log in via Google, GitHub, Facebook, etc.");
console.log();
console.log("Step 1: Redirect user to provider");
console.log("  → https://github.com/login/oauth/authorize");
console.log("    ?client_id=YOUR_APP_ID");
console.log("    &redirect_uri=https://yoursite.com/callback");
console.log("    &scope=user:email");
console.log("    &state=random_csrf_token");
c
...

⚠️ Common Mistakes

⚠️

Storing JWTs in localStorage — vulnerable to XSS attacks. Use httpOnly, secure cookies instead for browser-based apps.

⚠️

Not validating the 'state' parameter in OAuth2 — this prevents CSRF attacks during the redirect flow. Always generate and verify a random state value.

💡

Pro Tip: Use short-lived JWTs (15 min) with refresh tokens (7 days). This limits damage if a token is stolen while keeping users logged in.

📋 Quick Reference — Authentication

Method	Stateless?	Best For
Session + Cookie	No	Traditional web apps
JWT (Bearer)	Yes	SPAs, mobile, microservices
OAuth2	Depends	Social login, third-party access
API Token	No	Server-to-server, integrations

🎉 Lesson Complete!

You can now implement professional authentication! Next, deep dive into advanced security techniques for PHP applications.