ModJWT: Working with JSON Web Token (JWT) on MODx

Just developing JSON Web Token (JWT) extra for MODX. Please take a look at

Demo page:



JWT for MODX is very interesting. It might be worth checking this too, though apparently its not production ready yet.


Although modJWT can be extended and used for session, but the main purpose of this extra is to provides basic mechanism for issuing or validating Token for restful API.

For example, if I have download files in different domain in the Cloud that need to be secured and protected, and I want to give access to MODx users in other server, this module serving this kind of stateless Token for security.

  • serverX-domainA: modx installation
  • serverY-domainB: videos, MP3s, documents, etc.

All files in serverY protected behind Auth-JWT mechanism, similar to Auth-Basic or Auth-Digest but using JWT.

To get those files, modJWT on serverX provides modx users a unique and one-time-use Token for each request to be able to login or pass Auth-JWT on serverY. The Token could be:

  • Stateless JSON Web Token, or
  • Stateful JSON Web Token

The list of Auth-JWT for web server can be found on website

1 Like

Very cool. I was just about to start building JWT into a custom app :slight_smile:


Hi, got to say your plugin rocks, it saved me lots of time, still missing one thing, where can I config the exp time for the token, I can see this in the code $this->config[‘expAge’] but im confused on where to set the expAge?

1 Like

Just add expAge as a property when you call the jwtEncode-snippet.

[[!jwtEncode? &expAge=`3600`]]


$token = $modx->runSnippet('jwtEncode', array('expAge'=>'3600'));

I have been trying to get this to work for some time but I am missing a crucial step>

fresh install of Modx 2.8.4 or 3.0.1 Install your package…

Edit the JWT example page to return OnValidate and OnToken OnCustom (in the example page). When running the demo and creating a token it makes one… but validating never works. If i copy the created token and paste it in it shows up valid and has my key… when I try to run a postman or even your demo it just never works… always get a

“_valid”: 0,
“status”: 400,
“statusText”: “Bad Request”,
“errorLog”: "Invalid Token: "

should this demo work out of the box? any tips you can offer? should this work with
Authorization Bearer {tokenhere} ?

any advice! thanks so much!