My name is Florent Morselli (flɔʁɑ̃ mɔʁseli). I am a French web developer and project manager passionate about PHP, ReactJS and Free, Libre & Open-Source Software. As far as possible, I contribute to projects or publish my own work.

🧡 Since early 2025, I am proud to be a . This allows me to help shape the future of the framework I use and love daily.

The projects I am working on are mainly related to security over web applications. In particular, you will find useful libraries of Symfony bundles for

• One-Time Passwords (TOTP/HOTP) => see https://github.com/Spomky-Labs/otphp,
• Json Web Tokens (JWT, including signed and encrypted ones) => see https://github.com/web-token,
• Web Push => see https://github.com/Spomky-Labs/web-push,
• Concise Binary Object Representation (CBOR) => see https://github.com/Spomky-Labs/cbor-php,
• Webauthn => see https://github.com/web-auth.

Among all of these projects, let me encourage you to read more about Webauthn, a PHP implementation I am working on since end of 2018 and that will help you to get rid of passwords.

In addition, I had the opportunity to share my knowledge during the following events:

• September 2022: I presented the possibilities offered by this technology during the second edition of ApiPlatformCon in September 2022 in Lille, France.
• March 2023, I gave two 1-day workshops during the Symfony Live Paris 2023.
• December 2023, I gave a 1-day workshop during the Symfony Con Brussels 2023.
• March 2024, I presented my feedback on the Progressive Web Apps and gave a 1-day workshop during the Symfony Live 2024.
• March 2025, I gave a 1-day workshop during the Symfony Live 2025

Feel free to ask me about all of these FLOSS projects or reach me on any other topics you may want to discuss.

Hereafter an overview of my involvement in the Open-Source ecosystem. If you wish, you can sponsor me. The GitHub Sponsors page or the Patreon page are made for that purpose. Any help is greatly appreciated and allows me to spend time on these projects.

• Spomky-Labs/otphp - 🔐 A PHP library for generating one time passwords according to RFC 4226 (HOTP) and the RFC 6238 (TOTP) (today)
• web-token/jwt-framework - JWT Framework (1 day ago)
• Spomky-Labs/dbsc-bundle - Device Bound Session Credentials (DBSC) for Symfony: protect sessions from cookie theft with hardware-bound keys. (1 day ago)
• web-auth/webauthn-framework - FIDO-U2F / FIDO2 / Webauthn Framework (1 week ago)
• web-auth/doc - Documentation (3 weeks ago)
• web-auth/cose-lib - Cose Key and Algorithms support (1 month ago)
• web-auth/webauthn-lib - [READ ONLY] Webauthn library (1 month ago)
• web-auth/webauthn-symfony-bundle - [READ ONLY] Webauthn Symfony Bundle (1 month ago)
• Spomky-Labs/phpwa-doc - This is the repository for the GitBook documentation available at the website below (2 months ago)
• web-token/jwt-doc - Documentation for the JWT Framework (2 months ago)

• [FrameworkBundle][Mailer][Mime] Add PGP/MIME signing and encryption support on symfony/symfony (today)
• fix: enforce minimum digest length on Spomky-Labs/otphp (1 day ago)
• Merge-up 4.1.x → 4.2.x (security fixes) on web-token/jwt-framework (1 day ago)
• Merge-up 4.0.x → 4.1.x (security fixes) on web-token/jwt-framework (1 day ago)
• Merge-up 3.4.x → 4.0.x (security fixes + accumulated backports) on web-token/jwt-framework (1 day ago)
• Update signature tests for the protected-header "alg" requirement on web-token/jwt-framework (1 day ago)
• Feature/per firewall configuration on Spomky-Labs/dbsc-bundle (2 days ago)
• style: coding standards & static analysis on 11.4.x on Spomky-Labs/otphp (1 week ago)
• fix(top-origin): reject cross-origin responses when no validator is configured on web-auth/webauthn-framework (2 weeks ago)
• docs(examples): add basic, usernameless, passkey-upgrade and signal-api pure-PHP demos (#649) on web-auth/webauthn-framework (2 weeks ago)

• Spomky-Labs/otphp (11.5.0, 1 day ago) - 🔐 A PHP library for generating one time passwords according to RFC 4226 (HOTP) and the RFC 6238 (TOTP)
• web-token/jwt-framework (4.1.7, 1 day ago) - JWT Framework
• Spomky-Labs/dbsc-bundle (0.3.0, 1 day ago) - Device Bound Session Credentials (DBSC) for Symfony: protect sessions from cookie theft with hardware-bound keys.
• api-platform/core (v4.3.10, 2 days ago) - The server component of API Platform: hypermedia and GraphQL APIs in minutes
• web-auth/webauthn-framework (5.3.5, 1 week ago) - FIDO-U2F / FIDO2 / Webauthn Framework
• SymfonyCasts/tailwind-bundle (v0.13.0, 1 week ago) - Delightful Tailwind Support for Symfony + AssetMapper
• symfony/symfony (v8.1.0, 1 week ago) - The Symfony PHP framework
• symfony/http-foundation (v8.1.0, 1 week ago) - Defines an object-oriented layer for the HTTP specification
• symfony/security-core (v8.1.0, 1 week ago) - Symfony Security Component - Core Library
• symfony/validator (v8.1.0, 1 week ago) - Provides tools to validate values

• tacman (2 years ago)
• YousignAdmin (3 years ago)
• passbolt (5 years ago)