JWT signature verification in PHP

Hi, I tried looking eveywhere but I couldn’t find anyone with a similar issue.
I am trying to verify the JWT token signature in my backend, signature comes from developer rig.

I got my secret from the backend and I am base64 decoding it, then I try to verify the signature using this library: https://github.com/lcobucci/jwt

Which, other than being recommended by jwt.io works pretty well, been using it for ages in all of my projects.


$token = (new Parser())->parse((string) AccessToken::readFromRequest($request)); 
$signer = new Sha256();
// Fails
dd($token->verify($signer, base64_decode('mysecret=')));

Can someone point me to the right direction?

So whats the function dd do?

Hi Barry, sorry my bad, dd is just dump and die, I should’ve wrote it as:

$result = (bool) $token->verify($signer, base64_decode('mysecret=');
dump($result); // false

I have checked with jwt.io and it is not correct (base64 encoded)
I have found threads referencing an issue with the dev rig using the wrong secret (ie. not the one from the dashboard) is there any way to verify what secret is it using?

Answering my own question, hoping this will be of help.
The dev rig doesn’t look like it uses the secret from the dashboard.
It uses its own special secret which you can find by going to Project details then scroll down to: Run your back-end service locally with the Developer Rig.
Inside you will find a command, that command has a -s parameter which is the actual secret!
Using that in the backend I was able to verify the signature.

That only applies to that particular Dev Rig example/backend. Not as a “general rule”.

Most of use when using the dev rig to build our own extensions don’t pass in the secret via -s, or if we do we pass the one in from our own Extension. You’ve been tripped up by an example extension!

HI Barry,

Thing is that I am not launching my backend from the dev rig, it exists independently, is there any way to check which secret is the rig actually using, looks like it’s using that specific token…

The rig should use the Secret applied to it from the ExtensionID. (You may need to hit refresh manifest to make sure it’s up to date)

So it should use the corresponding secret from the console https://dev.twitch.tv/console/extensions for the Extension you are working on

I have been trying this for a long while now and I can assure it’s using an arbitrary secret. I have removed all references to the backend and I still get the wrong signature error unless I use the one I got from the backend command.

Is there any way to debug this issue? Is there a way to console.log what secret is the rig using and especially why?
Is there a way to set in the json configuration file a secret?


The only thing I can think of is that you picked “new extension” from Create New Project:

And for whatever reason the rig is using a blank/default extension or hasn’t pulled the secret down over the API.

You may need to refresh manifest

And/or when creating a view set it to a “real” user rather than the “Developer Rig” user. (Ticking Use Current user works correctly for me)

But I’m not sure as ever extension I have loaded uses the Real ExtensionClientID/Secret, but then they are all pointed at real ID’s for the Frame Properties

Also make sure your Rig is up to date (current version is v1.2.1)
Or consider remaking the project in the rig.

Additionally the problem may stem from having selected a template to create a project from rather than starting fresh.

1 Like

Thanks Barry, very helpful, I ended up recreating the project from scratch and it fixed the issue.

How do you update the rig? The About context menu on osx shows 1.0.3, with no option to update.

I think that was the version that broke updating. Usually the rig will check for and install updates automagically.

You can update manually via