PHPackages tropikal-ai/connect - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. tropikal-ai/connect ActiveLibrary[Authentication & Authorization](/categories/authentication) tropikal-ai/connect =================== Framework-agnostic TROPIKAL Connect protocol primitives. v0.1.0(3w ago)040↑200%1[1 PRs](https://github.com/tropikal-ai/connect/pulls)1MITPHPPHP ^8.2CI passing Since May 16Pushed 3w agoCompare [ Source](https://github.com/tropikal-ai/connect)[ Packagist](https://packagist.org/packages/tropikal-ai/connect)[ RSS](/packages/tropikal-ai-connect/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (3)Versions (2)Used By (1) TROPIKAL Connect ================ [](#tropikal-connect) Framework-agnostic protocol primitives for platform packages that implement TROPIKAL Connect. `tropikal-ai/connect` contains OAuth PKCE helpers, signed request creation and verification, resource and capability schema rules, and browser payload safety checks. It has no Laravel, Filament, WordPress, Shopify, database, route, controller, view, storage, HTTP client, or private server implementation. Requirements ------------ [](#requirements) - PHP 8.2 or newer - Composer 2 Install ------- [](#install) ``` composer require tropikal-ai/connect ``` For clone-based development, add a path repository to the application that consumes the package: ``` { "repositories": [ { "type": "path", "url": "shared/connect", "options": { "symlink": true, "versions": { "tropikal-ai/connect": "0.1.0" } } } ], "require": { "tropikal-ai/connect": "^0.1" } } ``` What It Provides ---------------- [](#what-it-provides) - PKCE S256 verifier and challenge generation. - OAuth state generation, hashing, expiry, and validation. - Exact redirect URI matching. - OAuth public client registration payloads. - Authorization and token request payload builders. - Token response validation and safe redaction. - Canonical signed server-to-server requests. - Constant-time signature verification. - Atomic nonce replay protection through a host-owned port. - Resource, field, operation, and capability descriptors. - Explicit read projection and write validation. - Named action grant validation. - Recursive browser/public payload safety checks. Security Model -------------- [](#security-model) - OAuth authorization code with PKCE S256 is the only setup primitive. - OAuth state is stored and compared by hash. - Redirect URIs must match exactly. - Signed requests cover method, path, normalized query string, timestamp, nonce, installation id, and body hash. - Replay protection must be backed by an atomic `NonceStore` implementation in the host package. - Empty resource grants expose nothing. - Reads project declared fields only. - Writes accept declared writable fields only. - Write grants do not imply delete. - Destructive operations must be explicit and confirmation-aware in host packages. - Named actions require explicit grants. - Secret-shaped keys are rejected in declarations and browser/public payloads. - Browser payloads never include secrets by contract. There is no token-paste setup path, no copied-secret setup path, and no browser-visible credential path in this package. See [`docs/security/threat-model.md`](docs/security/threat-model.md) for the release-candidate threat model. Capability Example ------------------ [](#capability-example) ``` use TropikalAI\Connect\Domain\Resource\FieldDescriptor; use TropikalAI\Connect\Domain\Resource\ResourceSchema; $schema = new ResourceSchema( key: 'research_posts', label: 'Research Posts', identifier: 'id', fields: [ new FieldDescriptor('title', 'Title', readable: true, writable: true), new FieldDescriptor('status', 'Status', readable: true, writable: true), new FieldDescriptor('published_at', 'Published at', readable: true, writable: false), ], grants: ['read', 'write'], ); $publicRecord = $schema->project([ 'id' => 123, 'title' => 'Example', 'status' => 'draft', 'internal_notes' => 'not exposed', ]); $unknownFields = $schema->unknownWriteFields([ 'title' => 'Updated', 'internal_notes' => 'rejected', ]); ``` Private Server Boundary ----------------------- [](#private-server-boundary) Server and control-plane internals are intentionally absent. Platform packages provide storage, encrypted persistence, HTTP clients, admin UI, and production endpoint configuration. Use `example.com` hosts in public documentation and tests. Troubleshooting --------------- [](#troubleshooting) - Redirect validation failed: compare the configured callback URL byte-for-byte with the callback URL used during authorization. - Signature validation failed: verify method, path, normalized query string, body hash, timestamp, nonce, installation id, and signing key. - A replay error occurred: make sure the host `NonceStore` claims nonces atomically. - A field is missing from output: only explicitly declared readable fields are projected. - A write field is rejected: only explicitly declared writable fields are accepted. ### Health Score 40 — FairBetter than 86% of packages Maintenance95 Actively maintained with recent releases Popularity12 Limited adoption so far Community9 Small or concentrated contributor base Maturity36 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 24d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/f1d4cfcc3c1c58277f6efdce6b6276ec155dc9382f7d857af21b8d470d6579f2?d=identicon)[tropikal-ai](/maintainers/tropikal-ai) --- Top Contributors [![tropikal-ai](https://avatars.githubusercontent.com/u/190056657?v=4)](https://github.com/tropikal-ai "tropikal-ai (2 commits)") --- Tags oauthresourcespkcesigned requests ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StyleLaravel Pint Type Coverage Yes ### Embed Badge ![Health badge](/badges/tropikal-ai-connect/health.svg) ``` [![Health](https://phpackages.com/badges/tropikal-ai-connect/health.svg)](https://phpackages.com/packages/tropikal-ai-connect) ``` ### Alternatives [league/oauth2-server A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API. 6.6k143.0M269](/packages/league-oauth2-server)[league/oauth2-client OAuth 2.0 Client Library 3.9k125.2M1.3k](/packages/league-oauth2-client)[league/oauth1-client OAuth 1.0 Client Library 996106.2M114](/packages/league-oauth1-client)[knpuniversity/oauth2-client-bundle Integration with league/oauth2-client to provide services 84317.7M77](/packages/knpuniversity-oauth2-client-bundle)[socialiteproviders/manager Easily add new or override built-in providers in Laravel Socialite. 42645.6M574](/packages/socialiteproviders-manager)[league/oauth2-google Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client 45722.6M155](/packages/league-oauth2-google) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)