PHPackages                             bella-baxter/sdk - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. bella-baxter/sdk

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

bella-baxter/sdk
================

Official PHP SDK for the Bella Baxter secret management platform

v0.1.1-beta.91(4w ago)0502MITPHPPHP ^8.1CI failing

Since Mar 26Pushed 4w agoCompare

[ Source](https://github.com/Cosmic-Chimps/bella-baxter-php)[ Packagist](https://packagist.org/packages/bella-baxter/sdk)[ Docs](https://bella-baxter.io)[ RSS](/packages/bella-baxter-sdk/feed)WikiDiscussions main Synced 3w ago

READMEChangelogDependencies (21)Versions (69)Used By (2)

Bella Baxter PHP SDK
====================

[](#bella-baxter-php-sdk)

Official PHP SDK for the [Bella Baxter](https://github.com/cosmic-chimps/bella-baxter) secret management platform.

Requirements
------------

[](#requirements)

- PHP 8.1+
- Extensions: `ext-curl`, `ext-json`, `ext-openssl` (all bundled by default)

Installation
------------

[](#installation)

```
composer require bella-baxter/sdk
```

Quick Start
-----------

[](#quick-start)

```
use BellaBaxter\BaxterClient;
use BellaBaxter\BaxterClientOptions;

$client = new BaxterClient(new BaxterClientOptions(
    baxterUrl:       'https://baxter.example.com',
    clientId:        'bella_ak_abc123',       // from: bella apikeys create
    clientSecret:    'your-secret-here',
    environmentSlug: 'production',
    enableE2ee:      true,                    // end-to-end encryption
));

$secrets = $client->getAllSecrets();
echo $secrets['DATABASE_URL'];
```

End-to-End Encryption (E2EE)
----------------------------

[](#end-to-end-encryption-e2ee)

When `enableE2ee: true` is set:

1. The SDK generates a P-256 ECDH key pair on startup
2. The public key is sent as `X-E2E-Public-Key` header with every request
3. The server encrypts the response using **ECDH-P256 + HKDF-SHA256 + AES-256-GCM**
4. The SDK decrypts the response transparently

Secret values are **never visible in plaintext** — not in server logs, proxies, or network captures.

```
// E2EE is opt-in — disabled by default
$clientWithE2ee = new BaxterClient(new BaxterClientOptions(
    // ...
    enableE2ee: true,
));
```

API
---

[](#api)

### `getAllSecrets(): array`

[](#getallsecrets-arraystringstring)

Fetches all secrets for the configured environment.

```
$secrets = $client->getAllSecrets();
// ['DATABASE_URL' => 'postgres://...', 'API_KEY' => '...']
```

### `getSecret(string $key): string`

[](#getsecretstring-key-string)

Fetches all secrets and returns a single value by key. Throws `\RuntimeException` if not found.

```
$dbUrl = $client->getSecret('DATABASE_URL');
```

### `getSecretsVersion(int $version): array`

[](#getsecretsversionint-version-arraystringstring)

Fetches secrets at a specific version snapshot.

```
$secrets = $client->getSecretsVersion(42);
```

Configuration
-------------

[](#configuration)

OptionTypeDefaultDescription`baxterUrl``string`—Base URL of the Baxter API`clientId``string`—API key client ID`clientSecret``string`—API key client secret`environmentSlug``string`—Environment slug (e.g. `production`)`enableE2ee``bool``false`Enable end-to-end encryption`timeoutSeconds``int``10`HTTP request timeoutLaravel Integration
-------------------

[](#laravel-integration)

```
// config/services.php
'bella' => [
    'url'         => env('BAXTER_URL'),
    'client_id'   => env('BAXTER_CLIENT_ID'),
    'client_secret' => env('BAXTER_CLIENT_SECRET'),
    'environment' => env('BAXTER_ENVIRONMENT', 'production'),
    'e2ee'        => env('BAXTER_E2EE', true),
],

// AppServiceProvider::register()
$this->app->singleton(BaxterClient::class, function () {
    return new BaxterClient(new BaxterClientOptions(
        baxterUrl:       config('services.bella.url'),
        clientId:        config('services.bella.client_id'),
        clientSecret:    config('services.bella.client_secret'),
        environmentSlug: config('services.bella.environment'),
        enableE2ee:      (bool) config('services.bella.e2ee'),
    ));
});
```

Symfony Integration
-------------------

[](#symfony-integration)

```
# config/services.yaml
BellaBaxter\BaxterClientOptions:
    arguments:
        $baxterUrl:       '%env(BAXTER_URL)%'
        $clientId:        '%env(BAXTER_CLIENT_ID)%'
        $clientSecret:    '%env(BAXTER_CLIENT_SECRET)%'
        $environmentSlug: '%env(BAXTER_ENVIRONMENT)%'
        $enableE2ee:      true

BellaBaxter\BaxterClient:
    arguments:
        $options: '@BellaBaxter\BaxterClientOptions'
```

---

Typed Secret Code Generation
----------------------------

[](#typed-secret-code-generation)

`bella secrets generate php` fetches the secrets manifest (key names + type hints, no values) from the Bella API and generates a typed `AppSecrets` class. Each method calls `getenv()` at runtime — no secret values are ever embedded in the generated file.

```
bella secrets generate php \
  --project my-app \
  --environment production \
  --output AppSecrets.php
```

**Generated `AppSecrets.php`:**

```