Labsco
auth0 logo

auth0-php-api

โ˜… 37

by auth0 ยท part of auth0/agent-skills

Use when protecting PHP API endpoints with JWT Bearer token validation or scope checks. Integrates auth0/auth0-php in API mode for stateless APIs receiving access tokens.

๐Ÿงฉ One of 7 skills in the auth0/agent-skills package โ€” works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates โ€” you don't need to read it to use the skill, but it's here to audit before installing.

Auth0 PHP API Integration

Protect PHP API endpoints with JWT access token validation using auth0/auth0-php in API mode (STRATEGY_API).


When NOT to Use

  • PHP web applications with login/logout flows - Use auth0-php for session-based authentication
  • Laravel applications - Use auth0/laravel-auth0 which has built-in API guard support
  • Symfony applications - Use auth0/symfony with its security bundle
  • Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth
  • Issuing tokens - This skill is for validating access tokens, not issuing them

Key SDK Methods

MethodReturnsPurpose
getBearerToken?TokenInterfaceSearches specified $_SERVER keys for a Bearer token, verifies signature, validates claims. Returns null if no token found or validation fails (does not throw).
decodeTokenInterfaceManually decodes and validates a JWT string
configurationSdkConfigurationAccess the SDK configuration instance
Token::toArrayarrayReturns all token claims as an associative array
Token::getSubject?stringReturns the sub claim (user/client ID)
Token::getIssuer?stringReturns the iss claim
Token::getAudience?arrayReturns the aud claim
Token::getExpiration?intReturns the exp claim (Unix timestamp)

  • auth0-php - For PHP web apps with login/logout using session-based auth
  • auth0-quickstart - Basic Auth0 setup and framework detection
  • auth0-cli - Manage Auth0 resources from the terminal
  • auth0-mfa - Add Multi-Factor Authentication

Quick Reference

SdkConfiguration for APIs:

$configuration = new SdkConfiguration(
    strategy: SdkConfiguration::STRATEGY_API,       // required - stateless mode
    domain: $_ENV['AUTH0_DOMAIN'],                   // required
    audience: [$_ENV['AUTH0_AUDIENCE']],             // required - array of identifiers
    tokenAlgorithm: 'RS256',                        // default
    tokenCache: $psrCacheAdapter,                    // recommended for production
    tokenCacheTtl: 600,                             // JWKS cache TTL in seconds
);

Token validation:

$token = $auth0->getBearerToken(server: ['HTTP_AUTHORIZATION']);  // returns ?TokenInterface
$claims = $token->toArray();                         // all claims as array
$userId = $token->getSubject();                      // sub claim

Manual decode:

use Auth0\SDK\Token;

$token = $auth0->decode(
    $jwtString,
    tokenType: Token::TYPE_ACCESS_TOKEN,
);

Environment variables:

  • AUTH0_DOMAIN - your Auth0 tenant domain (e.g. tenant.us.auth0.com)
  • AUTH0_AUDIENCE - your API identifier (e.g. https://api.example.com)

Common Use Cases:

  • Protect routes -> requireAuth($auth0) (see Step 5)
  • Scope enforcement -> requireAuth($auth0, ['read:messages']) (see Step 5)
  • CORS setup -> Integration Guide
  • Multi-audience validation -> Integration Guide
  • Advanced configuration -> API Reference

Detailed Documentation

  • Setup Guide - Auth0 CLI setup, environment configuration, getting test tokens
  • Integration Guide - Scopes, permissions, middleware, multi-audience, CORS, error handling
  • API Reference - Complete SDK API for API mode, configuration options, token methods

References