AuthClient
Public facade for the auth-php package.
Composes the ports (TokenValidator, Transport, SessionStore, Clock,
RevocationCache) into a small surface for app code. Mirrors the TS
reference auth-client/src/core/auth-client.ts in intent, adapted to
idiomatic PHP — no reactive snapshot, no cross-tab broadcast (PHP is
single-process per request).
Typical use (server-side Laravel app):
$principal = $client->validateBearer($request->bearerToken()); $user = $client->me($accessToken);
Login / refresh / etc. go through the wrapped Transport and surface typed Domain DTOs.
Methods
build()
function build( Config $config, Transport $transport, ?RevocationCache $revocationCache = null, ?SessionStore $session = null, ?Clock $clock = null, ?LoggerInterface $logger = null,): selfConvenience builder for use cases that don’t want to manually compose ports. The caller still passes a concrete Transport (PSR-18 is a hard dep there). Clock + SessionStore default to in-memory.
validateToken()
function validateToken(string $jwt): PrincipalValidate an access token (or service token) locally. Returns a typed Principal. Throws TokenExpiredException / TokenInvalidException / TokenRevokedException.
validateBearer()
function validateBearer(?string $headerValue): ?PrincipalValidate an “Authorization: Bearer …” header. Returns null when the header is missing or empty (lets the caller decide whether to 401).
login()
function login(string $email, string $password, array $opts = []): AuthResponsePassword login (POST /auth/login). Returns the AuthResponse. When the server requires 2FA, AuthResponse::$requiresTwoFactor is true and $tokens is null — the caller prompts for code and resubmits.
Parameters
$opts—array{ organizationId?:string|null, rememberMe?:bool, twoFactorCode?:string|null, appCode?:string|null, }
refresh()
function refresh(?string $refreshToken = null, array $opts = []): AuthResponseRefresh access + refresh tokens (POST /auth/refresh). Returns the new AuthResponse. Optional context fields switch the active org / app without forcing a fresh password login.
Parameters
$opts—array{organizationId?:string|null,appCode?:string|null}
logout()
function logout(): voidLogout the current session (POST /auth/logout). Best-effort: clears the local SessionStore even if the server call fails — the access token reaches natural exp regardless. Authenticated endpoint (auth-server AUDIT 1.23) so the access token is attached.
logoutAll()
function logoutAll(): voidLogout-all: revoke every refresh token + bump per-user token-version (POST /auth/logout/all). After this call, every outstanding access token for the user is invalid cross-replica within ~one cache TTL.
me()
function me(?string $accessToken = null): arrayGET /auth/me — current user as a server-authoritative payload.
Returns
array<string,mixed>
register()
function register(array $payload): AuthResponseRegister a new user (POST /auth/register).
Parameters
$payload—array<string,mixed>· Body fields per the server’s RegisterRequest DTO
authenticatedRequest()
function authenticatedRequest( string $method, string $path, ?array $body = null, array $headers = [],): arrayAuthenticated request helper. Issues the call with the current access token; on 401, attempts ONE refresh + ONE retry (mirrors auth-client autoRetryOn401). Returns the decoded body.
Parameters
$body—array<string,mixed>|null$headers—array<string,string>
Returns
array<string,mixed>
accessToken()
function accessToken(): ?stringThe current session’s access token, or null when there isn’t one.
Convenience for host apps (esp. the SSO bridge) that need to forward
the logged-in user’s token to a sibling rw3iss API — e.g.
rw3iss/auction-sdk-php. Reads from the configured SessionStore;
in pure bearer-token mode (no session) the token lives on the request,
not here, so this returns null — read it from the guard/Authorization
header in that case.