PHPackages                             the-iceberg-company/subzero - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. the-iceberg-company/subzero

ActiveLibrary[Security](/categories/security)

the-iceberg-company/subzero
===========================

PHP client for the Subzero tokenization vault

v1.0.0(today)00proprietaryPHPPHP &gt;=8.1

Since Jun 30Pushed todayCompare

[ Source](https://github.com/The-Iceberg-Company/the-iceberg-company-subzero)[ Packagist](https://packagist.org/packages/the-iceberg-company/subzero)[ RSS](/packages/the-iceberg-company-subzero/feed)WikiDiscussions main Synced today

READMEChangelog (1)Dependencies (2)Versions (2)Used By (0)

Subzero PHP SDK
===============

[](#subzero-php-sdk)

Thin PHP client for the [Subzero](../subzero-api/) tokenization vault.

Configure entity types, API keys, and reveal policies in the **dashboard** first. This SDK is for server-side vault operations only.

Requirements
------------

[](#requirements)

- PHP 8.1+
- [Composer](https://getcomposer.org/)

Install
-------

[](#install)

```
cd php-sdk
composer install
```

In another project:

```
composer require the-iceberg-company/subzero
```

Quick start
-----------

[](#quick-start)

```
use Iceberg\Subzero\SubzeroClient;

$client = new SubzeroClient(
    tokenizeKey: 'sz_live_...',   // tokenize + search + batch
    revealKey: 'sz_live_...',     // reveal
);
$client->ready();

$token = $client->tokenize('SSN', '123-45-6789');
$found = $client->search('SSN', '123-45-6789');
$value = $client->reveal($token);
$resolved = $client->resolve('123-45-6789');
```

Or from environment variables:

```
$client = SubzeroClient::fromEnv();
$client->ready();
```

A single `apiKey` works when one key has both scopes (e.g. `admin`):

```
$client = new SubzeroClient(apiKey: 'sz_live_...');
```

API key scopes
--------------

[](#api-key-scopes)

ScopeSDK methods`tokenize``tokenize`, `search`, `tokenizeBatch`, `proxy->scan`, `proxy->discover`, `proxy->restructure``proxy``proxy->scan`, `proxy->discover`, `proxy->restructure``reveal``reveal`, `resolve` (requires a matching reveal policy in the dashboard)`reveal_grant``createRevealGrant` (BFF for Elements click-to-reveal)`admin`All of the above (bypasses reveal policy)Use separate `tokenizeKey`, `revealKey`, and `proxyKey` in production for least privilege.

Reveal caller context (audit)
-----------------------------

[](#reveal-caller-context-audit)

By default, `reveal`, `resolve`, and `createRevealGrant` attach optional **`caller_context`** for audit logging. Auto-capture uses the first frame outside `Iceberg\Subzero\` when enabled (default).

```
use Iceberg\Subzero\Models\RevealCallerContext;

$client = new SubzeroClient(revealKey: '...', captureCallerContext: false);
$client->reveal($token, new RevealCallerContext(file: 'Billing.php', line: 42, sdk: 'php'));
```

**Privacy:** auto-capture may include file paths in audit logs — disable or pass opaque refs if needed.

Environment variables
---------------------

[](#environment-variables)

VariablePurpose`SUBZERO_API_KEY`Single key when one key covers multiple scopes`SUBZERO_TOKENIZE_API_KEY`Tokenize/search/batch only`SUBZERO_REVEAL_API_KEY`Reveal/resolve only`SUBZERO_PROXY_API_KEY`LLM proxy scan/discover/restructure only`SUBZERO_BASE_URL`API host (no trailing `/v1`)LLM proxy preview
-----------------

[](#llm-proxy-preview)

Dry-run scan, discover, and restructure. No upstream LLM call.

```
$scan = $client->proxy->scan(
    messages: [['role' => 'user', 'content' => 'Patient SSN 123-45-6789']],
);

$discover = $client->proxy->discover(
    messages: [['role' => 'user', 'content' => 'Patient SSN 123-45-6789']],
);

$result = $client->proxy->restructure(
    messages: [['role' => 'assistant', 'content' => 'SSN on file: [SSN_abc12345]']],
);
```

Batch tokenize
--------------

[](#batch-tokenize)

For ETL pipelines. Max **100** items per API request; the SDK auto-chunks larger lists.

```
use Iceberg\Subzero\Models\TokenizeBatchContext;
use Iceberg\Subzero\Models\TokenizeBatchItem;
use Iceberg\Subzero\Models\TokenizeBatchSource;

$results = $client->tokenizeBatch(
    [
        new TokenizeBatchItem(0, 'SSN', '123-45-6789'),
        new TokenizeBatchItem(1, 'SSN', '987-65-4321'),
    ],
    context: new TokenizeBatchContext(source: TokenizeBatchSource::Dbt, pipelineId: 'contacts'),
);

foreach ($results as $item) {
    if ($item->ok()) {
        echo "{$item->index}: {$item->token}\n";
    } else {
        echo "{$item->index} error: {$item->error}\n";
    }
}
```

Errors
------

[](#errors)

The SDK throws typed exceptions from API `reason` codes — match on `$exception->reason`, not message text:

ExceptionTypical cause`PolicyDeniedException`Missing reveal policy`AuthorizationException`Wrong key scope`NotFoundException`Search miss or unknown token`AuthenticationException`Invalid or revoked key`SubzeroNotReadyException`API down or migrations pendingExample
-------

[](#example)

With the API running and keys configured in the dashboard:

```
export SUBZERO_TOKENIZE_API_KEY=sz_live_...
export SUBZERO_REVEAL_API_KEY=sz_live_...
php examples/vault_demo.php
```

Tests
-----

[](#tests)

```
composer test
```

Related
-------

[](#related)

- [Python SDK](../python-sdk/)
- [Node SDK](../node-sdk/)
- [C# SDK](../c%23-sdk/)
- [Vault API](../subzero-api/docs/vault-api.md)

###  Health Score

39

—

LowBetter than 85% of packages

Maintenance100

Actively maintained with recent releases

Popularity0

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity42

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

0d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/cf604741a38f7196603867ae563bdd021840ceade1c055f68863a252879d8336?d=identicon)[adamiceberg](/maintainers/adamiceberg)

---

Top Contributors

[![adamodicho97](https://avatars.githubusercontent.com/u/98548305?v=4)](https://github.com/adamodicho97 "adamodicho97 (3 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/the-iceberg-company-subzero/health.svg)

```
[![Health](https://phpackages.com/badges/the-iceberg-company-subzero/health.svg)](https://phpackages.com/packages/the-iceberg-company-subzero)
```

###  Alternatives

[aws/aws-sdk-php

AWS SDK for PHP - Use Amazon Web Services in your PHP project

6.2k532.1M2.5k](/packages/aws-aws-sdk-php)[neuron-core/neuron-ai

The PHP Agentic Framework.

2.0k496.1k34](/packages/neuron-core-neuron-ai)[tencentcloud/tencentcloud-sdk-php

TencentCloudApi php sdk

3661.2M46](/packages/tencentcloud-tencentcloud-sdk-php)[tempest/framework

The PHP framework that gets out of your way.

2.2k31.1k12](/packages/tempest-framework)[dgtlss/warden

A Laravel package that proactively monitors your dependencies for security vulnerabilities by running automated composer audits and sending notifications via webhooks and email

9056.1k](/packages/dgtlss-warden)[eslazarev/wildberries-sdk

Wildberries OpenAPI clients (generated).

252.5k](/packages/eslazarev-wildberries-sdk)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
