Skip to content
Vendidit Auth

AuthClient

class Vendidit\AuthServer\AuthClient Source: src/AuthClient.php

Public facade for the auth-php package.

Composes the ports (TokenValidator, Transport, SessionStore, Clock, RevocationCache) into a small surface for app code. Mirrors the TS reference auth-client/src/core/auth-client.ts in intent, adapted to idiomatic PHP — no reactive snapshot, no cross-tab broadcast (PHP is single-process per request).

Typical use (server-side Laravel app):

$principal = $client->validateBearer($request->bearerToken()); $user = $client->me($accessToken);

Login / refresh / etc. go through the wrapped Transport and surface typed Domain DTOs.

Methods

`build(Config $config,

    Transport $transport,
    ?RevocationCache $revocationCache = null,
    ?SessionStore $session = null,
    ?Clock $clock = null,
    ?LoggerInterface $logger = null,)`

Convenience builder for use cases that don’t want to manually compose ports. The caller still passes a concrete Transport (PSR-18 is a hard dep there). Clock + SessionStore default to in-memory.

validateToken(string $jwt)

Validate an access token (or service token) locally. Returns a typed Principal. Throws TokenExpiredException / TokenInvalidException / TokenRevokedException.

validateBearer(?string $headerValue)

Validate an “Authorization: Bearer …” header. Returns null when the header is missing or empty (lets the caller decide whether to 401).

login(string $email, string $password, array $opts = [])

Password login (POST /auth/login). Returns the AuthResponse. When the server requires 2FA, AuthResponse::$requiresTwoFactor is true and $tokens is null — the caller prompts for code and resubmits.

@param array{ organizationId?:string|null, rememberMe?:bool, twoFactorCode?:string|null, appCode?:string|null, } $opts

refresh(?string $refreshToken = null, array $opts = [])

Refresh access + refresh tokens (POST /auth/refresh). Returns the new AuthResponse. Optional context fields switch the active org / app without forcing a fresh password login.

@param array{organizationId?:string|null,appCode?:string|null} $opts

logout()

Logout the current session (POST /auth/logout). Best-effort: clears the local SessionStore even if the server call fails — the access token reaches natural exp regardless. Authenticated endpoint (auth-server AUDIT 1.23) so the access token is attached.

logoutAll()

Logout-all: revoke every refresh token + bump per-user token-version (POST /auth/logout/all). After this call, every outstanding access token for the user is invalid cross-replica within ~one cache TTL.

me(?string $accessToken = null)

GET /auth/me — current user as a server-authoritative payload.

@return array<string,mixed>

register(array $payload)

Register a new user (POST /auth/register).

@param array<string,mixed> $payload Body fields per the server’s RegisterRequest DTO

authenticatedRequest(string $method, string $path, ?array $body = null, array $headers = [])

Authenticated request helper. Issues the call with the current access token; on 401, attempts ONE refresh + ONE retry (mirrors auth-client autoRetryOn401). Returns the decoded body.

@param array<string,mixed>|null $body @param array<string,string> $headers @return array<string,mixed>