auth-server-php overview

vendidit/auth-server-php is the framework-agnostic PHP core for backends consuming the auth-server. Mirrors auth-server-ts directory-for-directory — same names where the language-idiomatic translation is direct.

AuthClient::validateBearer() / login() / register() / refresh() / logout() / me() / authenticatedRequest() plus a Flows facade for 22 additional endpoints (password lifecycle, email verification, 2FA, sessions, SSO with PKCE, m2m, admin lookup/impersonate, audit log). PSR-18 transport, PSR-16 cache, PSR-3 logger — all swappable.

Source	Vendidit/auth-server-php
Stack	PHP 8.1+ · PSR-18 · PSR-16 · PSR-3 · firebase/php-jwt
Companion	auth-server-laravel (Laravel adapter)
Mirror	auth-server-ts (TS equivalent)

📦

Every consumer needs to register an app first. A system_admin creates an apps row, the consumer sets VENDIDIT_APP_CODE + JWT_ACCESS_SECRET, and tokens issued to that app_code carry the right scope. See the full flow in App registration.

When to use this directly

• You’re on Symfony (until a dedicated adapter ships).
• You’re on Slim, CodeIgniter, WordPress, or pure PHP.
• You’re building a custom Laravel integration that doesn’t fit auth-server-laravel’s shape.

If you’re on Laravel, install auth-server-laravel instead.

The 80% usage

use Vendidit\AuthServer\AuthClient;
use Vendidit\AuthServer\Config;
use Vendidit\AuthServer\Http\HttpTransport;

$config = new Config(
    authServerUrl: getenv('AUTH_SERVER_URL'),
    appCode: getenv('AUTH_APP_CODE'),
    jwtAccessSecret: getenv('JWT_ACCESS_SECRET'),
    jwtIssuer: 'ven-auth',
    jwtAudience: 'ven-platform',
);

$transport = new HttpTransport(
    httpClient: $psr18Client,        // any PSR-18 client
    requestFactory: $requestFactory, // PSR-17
    streamFactory: $streamFactory,
    baseUrl: $config->authServerUrl . '/api/v1',
);

$auth = AuthClient::build(
    config: $config,
    transport: $transport,
);

$principal = $auth->validateBearer($request->getHeader('Authorization')[0] ?? '');

What it gives you

• AuthClient facade — the recommended entry point. Mirrors the TS facade method-for-method where idiomatic.
• Flows — extended endpoint surface: password lifecycle, email verification, 2FA, sessions, SSO with PKCE, m2m, admin lookup/impersonate, audit log.
• JwtValidator — local HS256 validation with secret rotation + revocation cache gate.
• Bundled adapter impls — HttpTransport (PSR-18 wrapper), NullRevocationCache, InMemorySessionStore, SystemClock.
• Typed exception hierarchy rooted at VenAuthException — same 15 classes as auth-server-ts.
• PSR contracts everywhere — PSR-18 (HTTP), PSR-16 (cache), PSR-3 (logger). Pull in your project’s existing implementations.

Related pages

• How it works — façade composition, port pattern.
• Quickstart.
• Class reference — auto-generated.
• auth-server-laravel — the Laravel adapter that wraps this.
• auth-server-ts — the TS equivalent.