PHPackages nomokonov/sber-sdk-php - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Payment Processing](/categories/payments) 4. / 5. nomokonov/sber-sdk-php ActiveLibrary[Payment Processing](/categories/payments) nomokonov/sber-sdk-php ====================== PHP SDK for Sberbank SberAPI: authorization, H2H direct integration and instant payments. Port of the official Node.js SDK. v1.0.0(yesterday)10MITPHPPHP ^8.5 Since Jun 9Pushed todayCompare [ Source](https://github.com/4ubi/sber-sdk-php)[ Packagist](https://packagist.org/packages/nomokonov/sber-sdk-php)[ RSS](/packages/nomokonov-sber-sdk-php/feed)WikiDiscussions master Synced today READMEChangelogDependencies (5)Versions (2)Used By (0) Sber API SDK (PHP) ================== [](#sber-api-sdk-php) A lightweight PHP SDK for integrating with Sberbank's SberAPI: authorization, H2H direct integration, instant payments and payroll projects. A PHP port of the official [Node.js SDK](https://github.com/GreenBankTeamRu/SDK_Node.js). The SDK contains three modules: - **Authorization module** (`Nomokonov\SberSdk\Authorization`) — obtaining, refreshing and revoking tokens, rotating the client secret, retrieving user info, PKCE and JWT signature verification. - **H2H direct integration module** (`Nomokonov\SberSdk\H2H`) — dictionaries, client info, crypto operations and certificates, payments, statements, payroll sheets, SBP B2B links. - **Instant payments module** (`Nomokonov\SberSdk\InstantPayment`) — creating payment order drafts from an invoice and building the payment URL. Requirements ------------ [](#requirements) - PHP 8.5+ - Extensions: `ext-openssl`, `ext-zip`, `ext-json` - [Guzzle](https://docs.guzzlephp.org/) 7.9+ (HTTP client) Installation ------------ [](#installation) ``` composer require nomokonov/sber-sdk-php ``` Client configuration -------------------- [](#client-configuration) The client uses mTLS: a client certificate in PKCS#12 format (`.p12`) and trusted root certificates (CA). Production certificates are located in the `certs/`directory. ``` use Nomokonov\SberSdk\Authorization\ApiClient; $client = new ApiClient([ 'host' => 'https://iftfintech.testsbi.sberbank.ru:9443', 'p12Path' => '/path/to/SBBAPI_xxx.p12', 'p12Password' => 'certpass', // For production, pass the full certificate chain: // 'caPath' => [__DIR__ . '/certs/sberca-ext.crt', __DIR__ . '/certs/sberca-root-ext.crt'], 'caPath' => '/path/to/russiantrustedca2024.pem', 'connectTimeout' => 60000, // ms, default 60000 'readTimeout' => 60000, // ms, default 60000 'enableLogs' => true, // default false 'maxRetries' => 3, // default 3 'retryDelay' => 1000, // ms, default 1000 ]); ``` ### Logging [](#logging) With `enableLogs => true`, pass a PSR-3 logger as the third argument. Sensitive data (tokens, accounts, INN, amounts, etc.) is masked automatically ([`MaskingInterceptor`](src/Authorization/MaskingInterceptor.php)): ``` $client = new ApiClient($config, httpClient: null, logger: $psr3Logger); ``` ### Custom HTTP client [](#custom-http-client) For tests or fine-tuning you can pass your own Guzzle instance — in that case certificates are not required: ``` $client = new ApiClient(['host' => 'https://...'], $guzzleClient); ``` Usage ----- [](#usage) ### Authorization [](#authorization) ``` // Obtain an access token $token = $client->getAccessToken([ 'code' => $authorizationCode, 'client_id' => $clientId, 'redirect_uri' => 'https://example.com/callback', 'client_secret' => $clientSecret, ]); $accessToken = $token['access_token']; // Refresh the token $client->getRefreshToken([ 'refresh_token' => $refreshToken, 'client_id' => $clientId, 'redirect_uri' => 'https://example.com/callback', 'client_secret' => $clientSecret, ]); // Revoke the token $client->getRevokeToken($accessToken, [ 'client_id' => $clientId, 'client_secret' => $clientSecret, 'token' => $accessToken, 'token_type_hint' => 'access_token', ]); // Rotate the client secret (a new secret is generated automatically) $result = $client->getChangeClientSecret($accessToken, [ 'client_id' => $clientId, 'client_secret' => $clientSecret, ]); // $result['new_client_secret'], $result['clientSecretExpiration'] // User info (with JWT decoding) $info = $client->getUserInfo($accessToken); // $info['userInfoBodyResponse'], $info['jwt'] ``` ### PKCE [](#pkce) ``` use Nomokonov\SberSdk\Authorization\SecurityService; $security = new SecurityService(); $verifier = $security->generatePkceCodeVerifier(); $challenge = $security->generatePkceCodeChallenge($verifier); ``` ### JWT signature verification [](#jwt-signature-verification) The signature of `id_token`/user-info is verified natively via the OpenSSL extension — no Java or external processes are required. Sber tokens are signed with RSA (RS256/RS384/RS512), which is fully supported by PHP. ``` use Nomokonov\SberSdk\Authorization\SignatureVerificationService; $verifier = new SignatureVerificationService('/path/to/sber-signing-cert.cer'); $verifier->verifyJwt($token['id_token']); // true or SignatureVerificationException ``` The certificate may be in PEM or DER format (`.cer`/`.crt`). ### H2H — direct integration [](#h2h--direct-integration) ``` use Nomokonov\SberSdk\H2H\H2hClient; $h2h = new H2hClient($client); $dict = $h2h->getDictionary($accessToken, 'banks'); // ['name' => ..., 'content' => ...] $clientInfo = $h2h->getClientInfo($accessToken); $crypto = $h2h->getCrypto($accessToken); // Certificates $h2h->certificateRequest($accessToken, $certRequest); $h2h->activateCert($accessToken, $externalId); $pdf = $h2h->printCert($accessToken, $externalId); // raw PDF bytes $h2h->getCertState($accessToken, $externalId); // Payments $h2h->createPayment($accessToken, $paymentRequest); $h2h->getPayment($accessToken, $externalId); $h2h->getPaymentDocState($accessToken, $externalId); // Statements $h2h->getStatementSummary($accessToken, $accountNumber, $statementDate); $h2h->getStatementTransactions($accessToken, $accountNumber, $statementDate, 1); // Payroll sheets $h2h->createPayroll($accessToken, $payrollRequest); // SBP B2B payment links $h2h->createPaymentLink($accessToken, $linkRequest); $h2h->getPaymentLinkList($accessToken, '550e8400-e29b-41d4-a716-446655440000'); ``` ### Instant payments [](#instant-payments) ``` use Nomokonov\SberSdk\InstantPayment\InstantPaymentClient; use Nomokonov\SberSdk\InstantPayment\CryptoprofileType; $instant = new InstantPaymentClient($client); $instant->getPaymentInvoice($accessToken, $invoiceRequest); // fixed requisites $instant->getPaymentInvoiceBudget($accessToken, $budgetRequest); // budget payment $instant->getPaymentInvoiceAny($accessToken, $anyRequest); // free requisites $instant->getPaymentState($accessToken, $externalId); $url = $instant->buildPaymentUrl( externalId: $externalId, backUrl: 'https://shop.example/return', cryptoprofileType: CryptoprofileType::SMS, isProd: false, ); ``` Validation ---------- [](#validation) Requests are validated before being sent using [schemas](src/Validation/Schema.php) that mirror the Joi schemas of the Node.js SDK. On failure a `Nomokonov\SberSdk\Exception\ValidationException` is thrown with the list of fields and messages (`getErrors()`), without any network call. Error handling -------------- [](#error-handling) All exceptions extend `Nomokonov\SberSdk\Exception\SberApiException`: - `ConfigurationException` — invalid configuration (missing host/certificate). - `ValidationException` — the request failed validation. - `SignatureVerificationException` — JWT signature verification error. - `SberApiException` — network and response errors (after retries). Transient failures (connection errors and 5xx responses) are retried automatically with exponential backoff. Development ----------- [](#development) ``` composer install composer test # PHPUnit composer cs # PHP CS Fixer (check) composer cs:fix # PHP CS Fixer (fix) composer rector # Rector (check) composer rector:fix # Rector (apply) composer ci # cs + rector + test ``` ### CI [](#ci) [`.gitlab-ci.yml`](.gitlab-ci.yml) runs PHP CS Fixer, Rector and PHPUnit on every merge request and on pushes to the default branch. License ------- [](#license) [MIT](LICENSE) ### Health Score 42 — FairBetter than 88% of packages Maintenance100 Actively maintained with recent releases Popularity2 Limited adoption so far Community6 Small or concentrated contributor base Maturity50 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 1d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/7bf4a7d1a557b1b2a5bcca9df41533e3e3691a7780f4a509592502a6e17e227c?d=identicon)[4ubi](/maintainers/4ubi) --- Top Contributors [![4ubi](https://avatars.githubusercontent.com/u/32986076?v=4)](https://github.com/4ubi "4ubi (1 commits)") --- Tags sdkpaymentsh2hfintechsberbanksbersberapi ### Code Quality TestsPHPUnit Static AnalysisRector Code StylePHP CS Fixer ### Embed Badge ![Health badge](/badges/nomokonov-sber-sdk-php/health.svg) ``` [![Health](https://phpackages.com/badges/nomokonov-sber-sdk-php/health.svg)](https://phpackages.com/packages/nomokonov-sber-sdk-php) ``` ### Alternatives [aws/aws-sdk-php AWS SDK for PHP - Use Amazon Web Services in your PHP project 6.2k532.1M2.5k](/packages/aws-aws-sdk-php)[tempest/framework The PHP framework that gets out of your way. 2.2k31.1k11](/packages/tempest-framework)[chargebee/chargebee-php ChargeBee API client implementation for PHP 768.3M9](/packages/chargebee-chargebee-php) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)