/**
* 
* @param string $kid 10 digits key ID for my app from developer portal
* @param string $iss my 10 digits team ID from developer portal
* @param string $sub com.mycoopany.myapp
* @return string signed JWT
*/

public static function generateJWT($kid, $iss, $sub) {

        $header = [
            'alg' => 'ES256',
            'kid' => $kid
        ];
        $body = [
            'iss' => $iss,
            'iat' => time(),
            'exp' => time() + 600,
            'aud' => 'https://appleid.apple.com',
            'sub' => $sub
        ];

        $private_key = <<<EOD
-----BEGIN PRIVATE KEY-----
My private key converted from .p8 to .pem by command:
openssl pkcs8 -in key.p8 -nocrypt -out key.pem
-----END PRIVATE KEY-----
EOD;

        $privKey = openssl_pkey_get_private($private_key);
        if (!$privKey){
           return false;
        }
        $payload = self::encode(json_encode($header,JSON_UNESCAPED_SLASHES)).'.'.self::encode(json_encode($body,JSON_UNESCAPED_SLASHES));
        $signature = '';
        $success = openssl_sign($payload, $signature, $privKey, OPENSSL_ALGO_SHA256);
        if (!$success) return false;

        $raw_signature = self::fromDER($signature, 64);
        return $payload.'.'.self::encode($raw_signature);
    }

    private static function encode($data) {
        $encoded = strtr(base64_encode($data), '+/', '-_');
        return rtrim($encoded, '=');
    }