PHPackages flametrench/authz - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. flametrench/authz ActiveLibrary[Authentication & Authorization](/categories/authentication) flametrench/authz ================= Authorization primitives for Flametrench: relational tuples and exact-match check(). Spec-conformant; no rewrite rules in v0.1. v0.2.0(1mo ago)0261Apache-2.0PHPPHP ^8.3CI passing Since Apr 25Pushed 4d agoCompare [ Source](https://github.com/flametrench/authz-php)[ Packagist](https://packagist.org/packages/flametrench/authz)[ Docs](https://flametrench.dev)[ RSS](/packages/flametrench-authz/feed)WikiDiscussions main Synced 1w ago READMEChangelog (2)Dependencies (2)Versions (9)Used By (1) flametrench/authz ================= [](#flametrenchauthz) [![CI](https://github.com/flametrench/authz-php/actions/workflows/ci.yml/badge.svg)](https://github.com/flametrench/authz-php/actions/workflows/ci.yml) Authorization primitives for [Flametrench](https://flametrench.dev): relational tuples and exact-match `check()`. Spec-conformant — exact-match remains the default, with **no implicit rewriting** at the API boundary ([ADR 0001](https://github.com/flametrench/spec/blob/main/decisions/0001-authorization-model.md)). v0.2 adds opt-in rewrite rules ([ADR 0007](https://github.com/flametrench/spec/blob/main/decisions/0007-rewrite-rules.md)) — `computed_userset` (role implication) and `tuple_to_userset` (parent-child inheritance) — for adopters who want hierarchies. Group expansion remains deferred. The PHP counterpart of [`@flametrench/authz`](https://github.com/flametrench/node/tree/main/packages/authz). Same shapes, same invariants, same test fixtures. **Status:** v0.2.0 (stable). PHP 8.3+ required. Includes `ShareStore` ([ADR 0012](https://github.com/flametrench/spec/blob/main/decisions/0012-share-tokens.md)) and Postgres-backed adapters (`PostgresTupleStore`, `PostgresShareStore`). Per [ADR 0013](https://github.com/flametrench/spec/blob/main/decisions/0013-postgres-adapter-transaction-nesting.md) the Postgres adapters cooperate with adopter-side outer transactions via savepoints when nested. Install ------- [](#install) ``` composer require flametrench/authz ``` Quick start ----------- [](#quick-start) ``` use Flametrench\Authz\InMemoryTupleStore; $store = new InMemoryTupleStore(); $store->createTuple( subjectType: 'usr', subjectId: 'usr_0190...alice', relation: 'editor', objectType: 'proj', objectId: '0190...project42', ); // Single-relation check. $result = $store->check( subjectType: 'usr', subjectId: 'usr_0190...alice', relation: 'editor', objectType: 'proj', objectId: '0190...project42', ); // $result->allowed === true // Set-form: true if any of the listed relations matches. $any = $store->checkAny( subjectType: 'usr', subjectId: 'usr_0190...alice', relations: ['owner', 'admin', 'editor'], objectType: 'proj', objectId: '0190...project42', ); ``` Default `check()` semantics --------------------------- [](#default-check-semantics) `check()` is **exact match by default**. `admin` does NOT imply `editor`. `editor` does NOT imply `viewer`. Being a `member` of an org does NOT imply any object-level access. The test suite has dedicated fixtures for each invariant — they catch the most common way an SDK could accidentally violate ADR 0001. If you want implication or inheritance, three options: - **Materialize at state-change time** (Pattern A) — write the implied tuples explicitly when state changes. Works at every spec version. - **Pass a relation set to `checkAny`** (Pattern B) — let the caller list equivalent relations. - **Opt into v0.2 rewrite rules** ([ADR 0007](https://github.com/flametrench/spec/blob/main/decisions/0007-rewrite-rules.md)) — declare `computed_userset` (role implication) and `tuple_to_userset` (parent-child inheritance) explicitly, with depth and fan-out caps. Currently in-memory only; Postgres-backed rule evaluation lands in a future release. Format rules ------------ [](#format-rules) - **Relations** match `/^[a-z_]{2,32}$/`. Six built-ins (`owner`, `admin`, `member`, `guest`, `viewer`, `editor`); applications register custom relations matching the same pattern. - **Object-type prefixes** match `/^[a-z]{2,6}$/` per `docs/ids.md`. Use short prefixes — `proj` not `project`, `doc` not `document`. - **Subject types** must be `'usr'`. Group subjects (`grp`) remain deferred. Errors ------ [](#errors) Every error is a `Flametrench\Authz\Exceptions\AuthzException` subclass with a `flametrenchCode` matching the OpenAPI Error envelope: ClassCode`TupleNotFoundException``not_found``DuplicateTupleException``conflict.duplicate_tuple` (carries `existingTupleId`)`InvalidFormatException``invalid_format.``EmptyRelationSetException``invalid_format.relations`Development ----------- [](#development) ``` composer install composer test ``` License ------- [](#license) Apache License 2.0. Copyright 2026 NDC Digital, LLC. ### Health Score 41 — FairBetter than 87% of packages Maintenance96 Actively maintained with recent releases Popularity9 Limited adoption so far Community8 Small or concentrated contributor base Maturity44 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 7 Last Release 40d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/19826928?v=4)[Nathan Call](/maintainers/nathancall)[@nathancall](https://github.com/nathancall) --- Top Contributors [![nathancall](https://avatars.githubusercontent.com/u/19826928?v=4)](https://github.com/nathancall "nathancall (17 commits)") --- Tags authorizationauthzzanzibarflametrenchrelational-tuples ### Code Quality TestsPest ### Embed Badge ![Health badge](/badges/flametrench-authz/health.svg) ``` [![Health](https://phpackages.com/badges/flametrench-authz/health.svg)](https://phpackages.com/packages/flametrench-authz) ``` ### Alternatives [league/oauth2-server A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API. 6.6k143.0M269](/packages/league-oauth2-server)[league/oauth2-client OAuth 2.0 Client Library 3.9k125.2M1.3k](/packages/league-oauth2-client)[league/oauth1-client OAuth 1.0 Client Library 996106.2M114](/packages/league-oauth1-client)[league/oauth2-google Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client 45722.6M155](/packages/league-oauth2-google)[auth0/auth0-php PHP SDK for Auth0 Authentication and Management APIs. 40821.3M84](/packages/auth0-auth0-php)[casbin/laravel-authz An authorization library that supports access control models like ACL, RBAC, ABAC in Laravel. 331361.0k4](/packages/casbin-laravel-authz) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)