PHPackages                             ariedeha/xctx - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [HTTP &amp; Networking](/categories/http)
4. /
5. ariedeha/xctx

ActiveLibrary[HTTP &amp; Networking](/categories/http)

ariedeha/xctx
=============

Cross Context - Encrypted, signed, typed context propagation over a single HTTP header.

0.3.2(8mo ago)01Apache-2.0GoPHP &gt;=8.2

Since Oct 24Pushed 8mo agoCompare

[ Source](https://github.com/ArieDeha/xctx)[ Packagist](https://packagist.org/packages/ariedeha/xctx)[ RSS](/packages/ariedeha-xctx/feed)WikiDiscussions master Synced today

READMEChangelogDependencies (3)Versions (3)Used By (0)

xctx - Cross Context
====================

[](#xctx---cross-context)

Encrypted, signed, **typed** context propagation over a single HTTP header (`X-Context`) with **Go** and **PHP** reference implementations.

- **Single header** transport (`v1.`)
- **AEAD (AES‑256‑GCM)** with per‑message nonce, versioning, and key IDs (KID) for rotation
- **Claims** (`iss`, `aud`, `iat`, `nbf`, `exp`, `jti`) validated on the callee
- **Typed payload** `T` (Go generics) / associative array (PHP) — the library is schema‑agnostic
- **AAD binding** for tenant/env binding (non‑secret but must match on both sides)
- **Cross‑language** interop (Go ↔ PHP) proven in examples

> License: Apache‑2.0 (see `LICENSE-APACHE-2.0.txt`). Composer package declares `Apache-2.0`.

Why
---

[](#why)

Passing many fields across services via body/query/headers is brittle and leaky (and sometimes plain-text). `xctx` gives you a single, encrypted, signed envelope carrying exactly the **system-defined** context you want — no more, no less — without the library knowing your field schema.

File Structure
--------------

[](#file-structure)

```
xctx
├── LICENSE-APACHE-2.0.txt
├── README.md
├── clover.xml
├── composer.json
├── composer.lock
├── coverage.out
├── example
│   ├── callee
│   │   ├── go.mod
│   │   ├── main.go
│   │   └── main.php
│   └── caller
│       ├── go.mod
│       ├── main.go
│       └── main.php
├── go.mod
├── phpunit.xml.dist
├── src
│   └── Xctx
│       ├── Codec.php
│       ├── Config.php
│       ├── Exception
│       │   ├── CryptoException.php
│       │   ├── ValidationException.php
│       │   └── XctxException.php
│       ├── Keyring.php
│       └── Util
│           └── Base64Url.php
├── test
│   ├── CodecExceptionBranchesTest.php
│   ├── CodecTest.php
│   ├── ConfigTest.php
│   └── overrides
│       └── crypto_overrides.php
├── xctx.go
├── xctx_blackbox_test.go
├── xctx_config.go
├── xctx_config_blackbox_test.go
├── xctx_config_whitebox_test.go
└── xctx_whitebox_test.go

```

Quick Start
-----------

[](#quick-start)

See **[USAGE.md](USAGE.md)** for comprehensive instructions. TL;DR:

### Go

[](#go)

```
type PassingContext struct {
    UserID   int32  `json:"user_id"`
    UserName string `json:"user_name"`
    Role     string `json:"role,omitempty"`
}

user := xctx.Config{ /* header, issuer, audience, TTL, keys... */ }
aad  := func() []byte { return []byte("TENANT=blue|ENV=dev") }

codec, typedKey, err := xctx.BuildCodecFromEnvWithKey[PassingContext](user, nil, aad)
if err != nil { /* handle */ }

// Caller: inject typed payload into context and seal
ctx := xctx.DefaultInjector[PassingContext](typedKey)(context.Background(), PassingContext{UserID:7, UserName:"arie"})
name, value, _ := codec.EmbedHeaderCtx(ctx) // ("X-Context", "v1.")

// Callee: parse from *http.Request
newCtx, payload, err := codec.ParseCtx(r)
```

### PHP

[](#php)

```
use ArieDeha\Xctx\{Config, Codec};

$user = new Config(headerName: 'X-Context', issuer: 'svc-caller', audience: 'svc-callee',
                   ttlSeconds: 120, currentKid: 'kid-demo',
                   currentKey: '0123456789abcdef0123456789abcdef');
$aad  = fn() => 'TENANT=blue|ENV=dev';

$codec = Codec::buildFromEnv($user, $aad);

// Caller: seal
[$name, $value] = $codec->embedHeader(['user_id'=>7,'user_name'=>'arie']);

// Callee: parse
[$payload, $claims] = $codec->parseHeaderValue($value);
```

Examples
--------

[](#examples)

- **Go callee** at `:8081` and **PHP callee** at `:8082` with mutual relays/mutations.
- **Go** and **PHP** callers demonstrate cross‑language portability and chained updates.

Run order:

```
# Terminal A
go run ./example/callee

# Terminal B
php -S 127.0.0.1:8082 -t example/callee example/callee/router.php  # or: php -S 127.0.0.1:8082 example/callee/main.php

# Terminal C
go run ./example/caller

# Terminal D
php example/caller/main.php
```

Envelope
--------

[](#envelope)

`X-Context: v1.` where `json` has lowercase keys:

```
{ "v":1, "alg":"AES256-GCM", "kid":"kid-demo", "n":"...", "ct":"..." }
```

Both implementations accept `AES256-GCM`/`AES-256-GCM` and lowercase/uppercase keys on parse. Emit is canonicalized to **lowercase keys** for interop with Go.

Configuration
-------------

[](#configuration)

See **[USAGE.md](USAGE.md)** for environment variables, key formats (raw/hex/base64), and AAD binding guidance.

Development
-----------

[](#development)

- See **[DEVELOPERS.md](DEVELOPERS.md)** for building, testing, and coverage (Go &amp; PHP).
- Security notes: short TTLs, rotation with `OtherKeys`, replay mitigation with `jti`, strict claim checks.

###  Health Score

28

—

LowBetter than 52% of packages

Maintenance61

Regular maintenance activity

Popularity1

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity39

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~3 days

Total

2

Last Release

249d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/9045281?v=4)[ariedeha](/maintainers/ariedeha)[@ArieDeha](https://github.com/ArieDeha)

---

Top Contributors

[![ArieDeha](https://avatars.githubusercontent.com/u/9045281?v=4)](https://github.com/ArieDeha "ArieDeha (15 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/ariedeha-xctx/health.svg)

```
[![Health](https://phpackages.com/badges/ariedeha-xctx/health.svg)](https://phpackages.com/packages/ariedeha-xctx)
```

###  Alternatives

[guzzlehttp/psr7

PSR-7 message implementation that also provides common utility methods

8.0k1.1B4.0k](/packages/guzzlehttp-psr7)[aws/aws-sdk-php

AWS SDK for PHP - Use Amazon Web Services in your PHP project

6.3k543.5M2.6k](/packages/aws-aws-sdk-php)[neuron-core/neuron-ai

The PHP Agentic Framework.

2.0k656.1k38](/packages/neuron-core-neuron-ai)[tempest/framework

The PHP framework that gets out of your way.

2.2k34.4k15](/packages/tempest-framework)[telnyx/telnyx-php

Official Telnyx PHP SDK — APIs for Voice, SMS, MMS, WhatsApp, Fax, SIP Trunking, Wireless IoT, Call Control, and more. Build global communications on Telnyx's private carrier-grade network.

35789.4k2](/packages/telnyx-telnyx-php)[laudis/neo4j-php-client

Neo4j-PHP-Client is the most advanced PHP Client for Neo4j

185702.8k44](/packages/laudis-neo4j-php-client)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
