PHP auth example

In this example, we add authentication and access control to a PHP application.

To demonstrate both authentication and access control, our application will have several routes:

/Home page (index.php)(opens new window)
/protected.phpUser dashboard, for logged in users only(opens new window)
/admin.phpAdmin dashboard, for admins only(opens new window)
/login.phpLogin page(opens new window)
/reset.phpPassword reset page(opens new window)

We cover each route below, along with an interactive sample at the end.

Sample on PHP sandbox

Sandbox with code(opens new window)

Live demo(opens new window) (you may need to visit the sandbox first to "wake up" the demo server)

PHP authentication

At a high level, PHP authentication is structured in 2 parts:

  1. Send an initial request to Userfront to get the JWT access token and save it as a cookie. This is what the signup and login forms do.

  2. Send the JWT access token as a cookie to your server with each subsequent request. To verify the JWT access token, we will use the PHP-JWT library(opens new window)

PHP authentication diagram

Logged in vs. logged out

When someone new visits the Home page, they should see a signup form.

When a user is logged in and visits the Home page, they should see navigation to visit the dashboard, as well as a button to logout.


In the event that the user does not have access to a page, we want to redirect them:

If the user visitsRedirect to
/protected.php when not logged in/login.php
/admin.php when not an admin/protected.php

With Userfront, a logged in user will have a JWT access token saved in their cookies as access.ACCOUNT_ID.

In this example, we use access.pn4qwpby

Public route

For showing and hiding simple things that are not sensitive, we can check whether the user has a JWT access token.

If the user does have a token present, we can display items as though they are logged in, and if not, we can display items as though they are logged out.

Checking for the presence of the JWT access token should only be used for showing or hiding non-sensitive items. For sensitive data, verify the JWT access token as described below.

For this site, we show a link to the dashboard if logged in, and we show the signup form if logged out.

For any sensitive information, we want to protect our routes as described next.


Logged in home page:

Logged out home page:

Protected route

To protect a route in PHP, we need to verify that the JWT access token is valid and has not expired.

To verify our JWT access token, we can use the account's JWT public key.

We will use the open source PHP-JWT(opens new window) library to verify our JWT access tokens. We can install this library with composer:

You can find your JWT public key in the Settings section of your dashboard.

Be sure to use your test mode key when in test mode, and your live mode key when in live mode.

If the JWT access token is not present or is invalid, we redirect to /login.php. Otherwise, we display the dashboard page.

There are 2 forms of authentication here:

  1. If the JWT access token is not present in the cookies, redirect to /login.php:
  1. If the JWT access token is not valid for any reason, remove all Userfront cookies and redirect to /login.php:


Logged in dashboard page:

Admin route

If you haven't already, install the JWT-PHP(opens new window) library:

The admin route is similar to the protected route, except in addition to verifying the JWT access token, we also check that the JWT access token has an admin role.


Logged in admin page:

Here is the an additional check to make sure the JWT access token has the admin role:

JWT access token payload

The JWT access token has an authorization object that contains the user's roles:

Sample code

The above routes are combined into a working sample below, where you can navigate a website running the live code.

The website is hosted at new window) and may require you to visit the PHP sandbox editor(opens new window) first before the website works.