PHPackages                             pinkcrab/wp-nonce - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. pinkcrab/wp-nonce

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

pinkcrab/wp-nonce
=================

Simple class based WP Nonce solution

1.0.0(2mo ago)13.5k[1 issues](https://github.com/Pink-Crab/Nonce/issues)1MITPHPPHP &gt;=8.0.0CI passing

Since Feb 11Pushed 2mo agoCompare

[ Source](https://github.com/Pink-Crab/Nonce)[ Packagist](https://packagist.org/packages/pinkcrab/wp-nonce)[ Docs](https://pinkcrab.co.uk)[ RSS](/packages/pinkcrab-wp-nonce/feed)WikiDiscussions master Synced today

READMEChangelog (2)Dependencies (23)Versions (4)Used By (1)

Nonce
=====

[](#nonce)

A minimal object-based wrapper around the WordPress Nonce API. Each `Nonce` instance holds an action and a lazily-generated token, and exposes helpers for URL decoration, form-field rendering, validation, and admin-referer checks. Instances are serialisable so you can pass them through the request lifecycle without regenerating the token.

[![Latest Stable Version](https://camo.githubusercontent.com/45872eb0fb9afa5bffbfd4aba612b2cbbead007f8a529726bc16e87cafd7414d/68747470733a2f2f706f7365722e707567782e6f72672f70696e6b637261622f77702d6e6f6e63652f76)](https://packagist.org/packages/pinkcrab/wp-nonce)[![Total Downloads](https://camo.githubusercontent.com/b1a4a8701a56118b6e0f66594ade23463029df4f3f93d7317e3ab00a5ad6d542/68747470733a2f2f706f7365722e707567782e6f72672f70696e6b637261622f77702d6e6f6e63652f646f776e6c6f616473)](https://packagist.org/packages/pinkcrab/wp-nonce)[![License](https://camo.githubusercontent.com/d5653769bf5142a541d72c66bccefe0939aed23f04d843b7150a8c8e44f143a3/68747470733a2f2f706f7365722e707567782e6f72672f70696e6b637261622f77702d6e6f6e63652f6c6963656e7365)](https://packagist.org/packages/pinkcrab/wp-nonce)[![PHP Version Require](https://camo.githubusercontent.com/765e1cf044e74acd5db740f796aad1a66e4ddba052f316ec629514b7f0373cc3/68747470733a2f2f706f7365722e707567782e6f72672f70696e6b637261622f77702d6e6f6e63652f726571756972652f706870)](https://packagist.org/packages/pinkcrab/wp-nonce)[![GitHub contributors](https://camo.githubusercontent.com/3d06d66fffc0b711c5b7d98214e8ebb826fdf707d3288993b201ef2edeb75746/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f636f6e7472696275746f72732f50696e6b2d437261622f4e6f6e63653f6c6162656c3d436f6e7472696275746f7273)](https://camo.githubusercontent.com/3d06d66fffc0b711c5b7d98214e8ebb826fdf707d3288993b201ef2edeb75746/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f636f6e7472696275746f72732f50696e6b2d437261622f4e6f6e63653f6c6162656c3d436f6e7472696275746f7273)[![GitHub issues](https://camo.githubusercontent.com/7a8f3a950bfefbfbbda7c9dce7557b261dbc0136a71a3dc3fb9d4ec104e549dd/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d7261772f50696e6b2d437261622f4e6f6e6365)](https://camo.githubusercontent.com/7a8f3a950bfefbfbbda7c9dce7557b261dbc0136a71a3dc3fb9d4ec104e549dd/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d7261772f50696e6b2d437261622f4e6f6e6365)

[![WP 6.6 [PHP8.0-8.4] Tests](https://github.com/Pink-Crab/Nonce/actions/workflows/WP_6_6.yaml/badge.svg)](https://github.com/Pink-Crab/Nonce/actions/workflows/WP_6_6.yaml)[![WP 6.7 [PHP8.0-8.4] Tests](https://github.com/Pink-Crab/Nonce/actions/workflows/WP_6_7.yaml/badge.svg)](https://github.com/Pink-Crab/Nonce/actions/workflows/WP_6_7.yaml)[![WP 6.8 [PHP8.0-8.4] Tests](https://github.com/Pink-Crab/Nonce/actions/workflows/WP_6_8.yaml/badge.svg)](https://github.com/Pink-Crab/Nonce/actions/workflows/WP_6_8.yaml)[![WP 6.9 [PHP8.0-8.4] Tests](https://github.com/Pink-Crab/Nonce/actions/workflows/WP_6_9.yaml/badge.svg)](https://github.com/Pink-Crab/Nonce/actions/workflows/WP_6_9.yaml)

[![codecov](https://camo.githubusercontent.com/5559b9367bfd5ea681c48abe1b013f930d6062f7448d37dc4a61be04178e7420/68747470733a2f2f636f6465636f762e696f2f67682f50696e6b2d437261622f4e6f6e63652f6272616e63682f6d61737465722f67726170682f62616467652e7376673f746f6b656e3d523353423457444c385a)](https://codecov.io/gh/Pink-Crab/Nonce)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/1aa421bf4f70b932afeba3fbdea68c059939d3fb8c5ac3f62e7e19acccd0f680/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f50696e6b2d437261622f4e6f6e63652f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/Pink-Crab/Nonce/?branch=master)

For more details please visit the docs site: [https://perique.info/lib/WP\_Nonce.html](https://perique.info/lib/WP_Nonce.html)

Why?
----

[](#why)

WordPress's native nonce API is procedural — `wp_create_nonce()`, `wp_verify_nonce()`, `wp_nonce_field()`, `check_admin_referer()` — and leaves the caller to juggle the action handle alongside the token at every touch-point. In practice nonces are a single unit: one action string, one token, one lifecycle. This library wraps that unit in a small class so it can be passed around, serialised, and stored alongside whatever else needs the nonce (a form model, an AJAX endpoint spec, a REST request builder).

Install
-------

[](#install)

```
composer require pinkcrab/wp-nonce
```

Then include the Composer autoloader in your project:

```
require_once __DIR__ . '/vendor/autoload.php';
```

Usage
-----

[](#usage)

```
use PinkCrab\Nonce\Nonce;

$nonce = new Nonce( 'my_action' );

// Get the current token.
$nonce->token();

// Render a  nonce field.
echo $nonce->nonce_field();

// Validate a submitted token.
if ( ! $nonce->validate( $_POST['_wpnonce'] ?? '' ) ) {
    wp_die( 'Invalid nonce' );
}

// Decorate a URL with the nonce token.
$url = $nonce->as_url( 'https://example.com/admin-action' );
```

Methods (Setters)
-----------------

[](#methods-setters)

### \_\_construct

[](#__construct)

**\_\_construct( string $action )**

> @param string $action The action handle that scopes the nonce (same semantics as WordPress's `wp_create_nonce($action)`).

Creates a nonce instance bound to a single action handle. The token is generated lazily on first access.

*Example*

```
$nonce = new Nonce( 'save_settings' );
```

Methods (Getters &amp; Helpers)
-------------------------------

[](#methods-getters--helpers)

### token

[](#token)

**token(): string**

> @return string The nonce token string, generated via `wp_create_nonce()` the first time it's called.

Returns the nonce token. Matches what `wp_create_nonce($action)` would produce for the same action.

*Example*

```
$nonce = new Nonce( 'save_settings' );
echo $nonce->token(); // e.g. "31b31db189"
```

### as\_url

[](#as_url)

**as\_url( string $url, string $arg = '\_wpnonce' ): string**

> @param string $url The base URL to append the nonce to.
> @param string $arg Query-string parameter name the nonce is appended as. Defaults to `_wpnonce`.
> @return string The URL with `?=` (or `&=`) appended.

Appends the nonce token to a URL as a query-string parameter. Handles both URLs without an existing query string and URLs that already have one.

*Example*

```
$nonce = new Nonce( 'url_action' );

$nonce->as_url( 'https://example.com/do' );
// https://example.com/do?_wpnonce=

$nonce->as_url( 'https://example.com/do?id=42', 'my_nonce' );
// https://example.com/do?id=42&my_nonce=
```

> This does not use the admin-referer mechanism — for that use `admin_referer()` below.

### nonce\_field

[](#nonce_field)

**nonce\_field( string $name = '\_wpnonce' ): string**

> @param string $name The input name/id used for the hidden field. Defaults to `_wpnonce`.
> @return string The HTML for a hidden `` containing the nonce token.

Returns (does not echo) the HTML for a hidden `` carrying the nonce token. Useful for form-building code that prefers to compose output itself.

*Example*

```
$nonce = new Nonce( 'form_submit' );

echo $nonce->nonce_field( 'settings_nonce' );
//

echo $nonce->nonce_field();
//
```

> The nonce field is returned, not echoed. Call `echo` yourself.

### validate

[](#validate)

**validate( string $nonce ): bool**

> @param string $nonce The token string to validate against the nonce's action.
> @return bool `true` if the token matches; `false` otherwise.

Validates a token string against the nonce's action. Returns `true` for a match, `false` otherwise. Wraps `wp_verify_nonce()` with a strict-bool return.

*Example*

```
$nonce = new Nonce( 'my_action' );

$nonce->validate( $nonce->token() ); // true
$nonce->validate( 'anything_else' ); // false
```

### admin\_referer

[](#admin_referer)

**admin\_referer( string $name = '\_wpnonce' ): bool**

> @param string $name The `$_REQUEST` key holding the nonce. Defaults to `_wpnonce`.
> @return bool `true` if the admin-referer check passes.

Runs WordPress's `check_admin_referer()` against the token found in `$_REQUEST[$name]`. Returns `true` on success; WordPress itself will `wp_die()` on failure (which in tests throws `WPDieException`).

*Example*

```
$nonce = new Nonce( 'admin_save' );

if ( $nonce->admin_referer() ) {
    // OK to proceed.
}
```

Serialisation
-------------

[](#serialisation)

`Nonce` implements `Serializable` (via PHP's magic methods), so instances can be stored alongside other request state and recovered later without regenerating the token:

```
$nonce    = new Nonce( 'serialised' );
$s_nonce  = serialize( $nonce );
$restored = unserialize( $s_nonce );

$restored->token() === $nonce->token(); // true
```

Tested Against
--------------

[](#tested-against)

- PHP 8.0, 8.1, 8.2, 8.3 &amp; 8.4
- WP 6.6, 6.7, 6.8 &amp; 6.9
- MySQL 8.4

License
-------

[](#license)

### MIT License

[](#mit-license)

Change Log
----------

[](#change-log)

- 1.0.0 - First stable release. Drop PHP 7.x, require PHP 8.0+. Modernise the tooling chain (PHPStan 2.x, PHPUnit 8|9, WPCS 3.x, `yoast/phpunit-polyfills` widened to include v4). Replace the single GitHub\_CI workflow with the WP 6.6–6.9 matrix (PHP 8.0–8.4, `mysql:8.4`) using `codecov/codecov-action@v4`. Suppress the WP 6.8 `wp_is_block_theme` early-call notice in `tests/wp-config.php`. Swap the custom VCS-sourced `pinkcrab/phpunit-helpers` dev dep for the packaged `gin0115/wpunit-helpers`; migrate `Test_Nonce` accordingly (`Reflection::get_private_property` → `Objects::get_property`). Remove the `repositories` block and `object-calisthenics/phpcs-calisthenics-rules` from dev-deps. README reformatted to the shared lib template.
- 0.1.0 - Created from part of PC Framework 0.1.0

###  Health Score

44

—

FairBetter than 90% of packages

Maintenance66

Regular maintenance activity

Popularity25

Limited adoption so far

Community10

Small or concentrated contributor base

Maturity60

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~1894 days

Total

2

Last Release

73d ago

Major Versions

0.1.0 → 1.0.02026-04-20

PHP version history (2 changes)0.1.0PHP &gt;=7.1.0

1.0.0PHP &gt;=8.0.0

### Community

Maintainers

![](https://www.gravatar.com/avatar/d82b9e8ef7816d3d0b9812ad233f61f6a313f529e0ac85721781b46ad292e1ea?d=identicon)[glynnquelch](/maintainers/glynnquelch)

---

Top Contributors

[![gin0115](https://avatars.githubusercontent.com/u/28779094?v=4)](https://github.com/gin0115 "gin0115 (8 commits)")

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/pinkcrab-wp-nonce/health.svg)

```
[![Health](https://phpackages.com/badges/pinkcrab-wp-nonce/health.svg)](https://phpackages.com/packages/pinkcrab-wp-nonce)
```

###  Alternatives

[keiko/uuid-shortener

A simple shortener library for RFC 4122 compatible UUIDs. Change your 36 chars long UUID into it's shorter equivalent.

150227.4k3](/packages/keiko-uuid-shortener)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
