Back to Learning Hub

Authentication & Security

25 minutes INTERMEDIATE

Learn how to implement JWT authentication in GEMVC. Master JWT setup, user login endpoints, and protecting routes with role-based access control.

What You'll Learn

JWT Setup

Configure JWT tokens in your application

User Login

Create login endpoint with JWT token generation

Protected Routes

Protect API endpoints with authentication and authorization

Video Coming Soon...

GEMVC Built-in JWT Authentication

GEMVC comes with a built-in JWT (JSON Web Token) authentication system. No need to install additional packages or configure complex middleware. The framework handles token creation, verification, and expiration automatically.

Key Features:

  • HS256 Signature - Secure token signing with secret key
  • Automatic Expiration - Tokens expire automatically (configurable)
  • Role-Based Access Control - Multi-role support for authorization
  • Token Renewal - Built-in token renewal mechanism
  • Automatic Verification - Simple auth() method call

Follow the guides below to set up JWT authentication, create login endpoints, and protect your API routes.

1

JWT Setup

Configure JWT Tokens

Configure JWT authentication in your GEMVC application. Learn how to set up TOKEN_SECRET, configure token expiration times, and understand the different token types (Access, Refresh, Login).

What You'll Learn:

  • • Configure TOKEN_SECRET in .env file
  • • Set token expiration times (Access, Refresh, Login tokens)
  • • Understand token types and their use cases
  • • Configure TOKEN_ISSUER for your application
Learn JWT Setup
2

User Login

Create Login Endpoint

Create a user login endpoint that verifies credentials and generates JWT tokens. Learn how to validate passwords, create tokens, and return them to authenticated users.

What You'll Learn:

  • • Create login API endpoint with schema validation
  • • Verify user credentials (email/password)
  • • Generate JWT tokens using JWTToken class
  • • Return tokens in response (Access, Refresh, Login tokens)
  • • Handle login errors and invalid credentials
Learn User Login
3

Protected Routes

Secure API Endpoints

Protect your API endpoints with authentication and authorization. Learn how to use $request->auth() to verify JWT tokens and implement role-based access control.

What You'll Learn:

  • • Use $request->auth() for authentication
  • • Implement role-based authorization (auth(['admin']))
  • • Handle 401 (Unauthorized) and 403 (Forbidden) responses
  • • Protect different endpoints with different access levels
  • • Access authenticated user data from token
Learn Protected Routes

Authentication Flow

Here's how authentication works in GEMVC:

1
JWT Setup
Configure TOKEN_SECRET and token expiration in .env file
2
User Login
User sends credentials → Server verifies → Returns JWT token
3
Protected Routes
Client sends token in Authorization header → Server verifies → Grants/denies access

Built-in Security Features

GEMVC's JWT implementation includes automatic security features:

✓ Signature Verification

All tokens are signed with HS256 algorithm using TOKEN_SECRET. Forged tokens are automatically rejected.

✓ Expiration Validation

Tokens automatically expire based on configured time. Expired tokens are rejected with 401 Unauthorized.

✓ Role-Based Access Control

Multi-role support with simple auth(['admin']) method. Role escalation attacks are prevented.

✓ Token Renewal

Built-in token renewal mechanism allows extending token lifetime without re-authentication.

🔐 Ready to Secure Your API?

Start with JWT setup, then create a login endpoint, and finally protect your routes. Follow each guide to implement complete authentication in your GEMVC application!

Start: JWT Setup Back to Learning Hub View Security Docs