rootherald/rootherald
Server-side SDK for PHP 8.1+. Default path: server→server Background-Check attest (appraise client evidence with your rh_sk_ secret key, verdict returned directly). Also verifies portable tokens against your project's JWKS. Pure PHP — only requires ext-openssl and firebase/php-jwt.
This SDK is implemented but not yet published to its package registry. Until it ships, mint attestation tokens on the device and verify them server-side with @rootherald/node (or any available server SDK). The API shown below is the planned surface and may change before release.
Install
composer require rootherald/rootheraldVerify a token
use Rootherald\Client;
use Rootherald\Verdict;
$client = new Client(
issuer: 'https://rootherald.io/myorg',
jwksUri: 'https://rootherald.io/myorg/.well-known/jwks.json',
);
$claims = $client->verifyToken($token);
if ($claims->verdict === Verdict::PASS) {
// proceed with signup
}Laravel middleware
Route::post('/signup', SignupController::class)
->middleware(['rootherald.guard:signup']);
// In SignupController:
$claims = request()->attributes->get('rootherald_claims');
// $claims->deviceId, $claims->verdict, $claims->tpmClass, ...The service provider auto-registers via Composer. Set ROOTHERALD_ISSUER in your .env file. Append ,strict to the middleware parameters to reject WARN verdicts in addition to FAIL.
Symfony subscriber
services:
Rootherald\Client:
arguments:
$issuer: '%env(ROOTHERALD_ISSUER)%'
Rootherald\Symfony\EventSubscriber\RootheraldSubscriber:
tags: ['kernel.event_subscriber']Mark a route as guarded by setting the _rootherald_action route default (or via a controller attribute) to the business action name.
WordPress
A single-file plugin that gates user registration on a valid attestation token ships with the SDK. Drop it into wp-content/plugins/, set ROOTHERALD_ISSUER in wp-config.php, and activate.