PHPackages                             hydrakit/auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. hydrakit/auth

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

hydrakit/auth
=============

Authentication library for Hydra PHP framework

v0.2.0(yesterday)018↑50%3MITPHP &gt;=8.2

Since Jul 6Compare

[ Source](https://github.com/hydra-foundation/auth)[ Packagist](https://packagist.org/packages/hydrakit/auth)[ RSS](/packages/hydrakit-auth/feed)WikiDiscussions Synced today

READMEChangelogDependencies (10)Versions (4)Used By (3)

Hydra Auth
==========

[](#hydra-auth)

Authentication — identity only. It answers *who is logged in* and provides the verbs to change that (attempt/login/logout), behind a swappable guard. It does not do permissions: those are `hydrakit/authorization`. It does not know your users: that one contract is left for the app to fulfil.

The guard
---------

[](#the-guard)

A controller injects `GuardInterface` and asks it questions (`check`, `user`, `id`) or drives a login (`attempt`, `login`, `logout`). It never touches the session key, the user provider, or the hasher directly — the guard coordinates those. `SessionGuard` keeps a single identifier in the session, resolves the user at most once per request, and regenerates the session id on both login and logout (fixation defense). Binding the interface keeps the mechanism swappable: a token guard for an API could replace it without a controller change.

```
if ($guard->attempt($username, $password)) {
    // logged in; session id regenerated
}
```

Two deliberate details of `SessionGuard`:

- **Deleted users don't haunt sessions.** When the session holds an id the provider no longer recognises (the account was deleted after login), the guard removes the marker during that lookup — the session honestly reports "guest" from then on instead of re-running a futile lookup on every request. The session id is not regenerated there (it's a read path and nothing is being granted); the next real `login()` rotates it as always.
- **Failed attempts cost constant work.** `attempt()` burns exactly one hashing operation whether the user is missing, passwordless, or simply typed the wrong password, so response timing can't be used to enumerate accounts.

What the app must supply
------------------------

[](#what-the-app-must-supply)

`UserProviderInterface` is the one contract auth deliberately leaves unbound — it cannot know your storage. The app implements it (typically a repository over its users table) and binds it at the composition root; a missing binding is a loud container error, never a silent insecure default. The provider does lookups *only* — it never sees a password. The app's user entity implements `AuthenticatableInterface` (a stable identifier + the stored hash); auth never sees the rest of the model.

Config
------

[](#config)

`AuthConfig` holds only what genuinely varies per environment — the bcrypt work factor (`AUTH_HASH_COST`, default 12) — and validates it against bcrypt's range at construction. The session key the guard uses is a stable protocol constant on the guard, not a deployment setting.

###  Health Score

40

—

FairBetter than 86% of packages

Maintenance100

Actively maintained with recent releases

Popularity8

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity38

Early-stage or recently created project

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~1 days

Total

3

Last Release

1d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/a947272da0bf1d7d6326b4fbf6ddb8049977cbdbe333d0d1282dbb6f5927dfdf?d=identicon)[whleucka](/maintainers/whleucka)

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/hydrakit-auth/health.svg)

```
[![Health](https://phpackages.com/badges/hydrakit-auth/health.svg)](https://phpackages.com/packages/hydrakit-auth)
```

###  Alternatives

[symfony/symfony

The Symfony PHP framework

31.4k87.2M2.2k](/packages/symfony-symfony)[typo3/cms

TYPO3 CMS is a free open source Content Management Framework initially created by Kasper Skaarhoj and licensed under GNU/GPL.

1.2k1.9M122](/packages/typo3-cms)[cakephp/cakephp

The CakePHP framework

8.9k19.5M1.8k](/packages/cakephp-cakephp)[typo3/cms-core

TYPO3 CMS Core

3713.2M5.2k](/packages/typo3-cms-core)[sunrise/http-router

A powerful solution as the foundation of your project.

17451.8k10](/packages/sunrise-http-router)[mcp/sdk

Model Context Protocol SDK for Client and Server applications in PHP

1.5k1.5M97](/packages/mcp-sdk)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
