Skip to content
SDKs · PHPIn development

rootherald/rootherald

Server-side SDK for PHP 8.1+. Default path: server→server Background-Check attest (appraise client evidence with your rh_sk_ secret key, verdict returned directly). Also verifies portable tokens against your project's JWKS. Pure PHP — only requires ext-openssl and firebase/php-jwt.

In development

This SDK is implemented but not yet published to its package registry. Until it ships, mint attestation tokens on the device and verify them server-side with @rootherald/node (or any available server SDK). The API shown below is the planned surface and may change before release.

Install

composerbash
composer require rootherald/rootherald

Verify a token

signup.phpphp
use Rootherald\Client;
use Rootherald\Verdict;

$client = new Client(
    issuer: 'https://rootherald.io/myorg',
    jwksUri: 'https://rootherald.io/myorg/.well-known/jwks.json',
);
$claims = $client->verifyToken($token);

if ($claims->verdict === Verdict::PASS) {
    // proceed with signup
}

Laravel middleware

routes/api.phpphp
Route::post('/signup', SignupController::class)
    ->middleware(['rootherald.guard:signup']);

// In SignupController:
$claims = request()->attributes->get('rootherald_claims');
// $claims->deviceId, $claims->verdict, $claims->tpmClass, ...

The service provider auto-registers via Composer. Set ROOTHERALD_ISSUER in your .env file. Append ,strict to the middleware parameters to reject WARN verdicts in addition to FAIL.

Symfony subscriber

config/services.yamlyaml
services:
    Rootherald\Client:
        arguments:
            $issuer: '%env(ROOTHERALD_ISSUER)%'
    Rootherald\Symfony\EventSubscriber\RootheraldSubscriber:
        tags: ['kernel.event_subscriber']

Mark a route as guarded by setting the _rootherald_action route default (or via a controller attribute) to the business action name.

WordPress

A single-file plugin that gates user registration on a valid attestation token ships with the SDK. Drop it into wp-content/plugins/, set ROOTHERALD_ISSUER in wp-config.php, and activate.