PHPackages truelayer/signing - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. truelayer/signing ActiveLibrary[Security](/categories/security) truelayer/signing ================= Produce and verify TrueLayer API requests signatures v1.1.0(8mo ago)1198.6k↓26.6%51MITPHPPHP ^8.1 Since Dec 9Pushed 8mo ago1 watchersCompare [ Source](https://github.com/TrueLayer/truelayer-signing-php)[ Packagist](https://packagist.org/packages/truelayer/signing)[ RSS](/packages/truelayer-signing/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (8)Versions (13)Used By (1) TrueLayer/Signing ================= [](#truelayersigning) PHP library to produce & verify TrueLayer API request signatures. If you want to know more about how TrueLayer's signatures work, see [this documentation](./../request-signing-v2.md) for an explanation. Installation ------------ [](#installation) Require using composer: ``` $ composer require truelayer/signing ``` Usage ----- [](#usage) ### Signing [](#signing) First, create a Signer instance, using one of the following methods: ``` use TrueLayer\Signing\Signer; $signer = Signer::signWithPemFile('kid-value', '/path/to/privatekey'); $signer = Signer::signWithPem('kid-value', $pemContents); $signer = Signer::signWithPemBase64('kid-value', $pemContentsBase64Encoded); $signer = Signer::signWithKey('kid-value', new \Jose\Component\Core\JWK()); ``` Then you can use it to create signatures: ``` use TrueLayer\Signing\Signer; $signature = $signer->method('POST') ->path('/path') // The api path ->header('Idempotency-Key', 'my-key') // The idempotency key you must send with your request ->body('stringified request body') ->sign(); ``` You can also sign a PSR-7 request which will automatically compile the signature and add it to the `Tl-Signature`header. ``` use TrueLayer\Signing\Signer; $request = $signer->addSignatureHeader($request) ``` ### Verifying [](#verifying) First, retrieve the public keys: - for sandbox: - for production: Example using the [Guzzle](https://docs.guzzlephp.org/en/stable/) library: ``` use TrueLayer\Signing\Verifier; use GuzzleHttp\Client; // Note: you should add error handling as appropriate $httpClient = new Client(); $response = $httpClient->get('https://webhooks.truelayer-sandbox.com/.well-known/jwks')->getBody()->getContents(); $keys = json_decode($response, true)['keys']; $verifier = Verifier::verifyWithJsonKeys(...$keys); // Note the spread operator, it's important. ``` Then you can use it to verify the signature you receive in your webhook under the `tl-signature` header: ``` $verifier ->path('/path') // Should be your webhook path, for example $_SERVER['REQUEST_URI'] ->headers($headers) // All headers you receive. Header names can be in any casing. ->body('stringified request body'); // For example file_get_contents('php://input'); try { $verifier->verify($headers['tl-signature']); } catch (InvalidSignatureException $e) { throw $e; // Handle invalid signature. You should not use this request's data. } ``` ### Health Score 49 — FairBetter than 95% of packages Maintenance61 Regular maintenance activity Popularity37 Limited adoption so far Community22 Small or concentrated contributor base Maturity66 Established project with proven stability Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~137 days Recently: every ~251 days Total 11 Last Release 243d ago Major Versions v0.1.5 → v1.0.02024-02-29 PHP version history (2 changes)v0.0.1PHP ^7.4|^8.0 v1.0.0PHP ^8.1 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/98873?v=4)[Lee Boynton](/maintainers/lboynton)[@lboynton](https://github.com/lboynton) ![](https://avatars.githubusercontent.com/u/9030768?v=4)[Stefan Danaita](/maintainers/stefandanaita)[@stefandanaita](https://github.com/stefandanaita) ![](https://avatars.githubusercontent.com/u/1301561?v=4)[Alexandru Lighezan](/maintainers/lighe)[@lighe](https://github.com/lighe) ![](https://avatars.githubusercontent.com/u/21106665?v=4)[TrueLayer](/maintainers/TrueLayer)[@TrueLayer](https://github.com/TrueLayer) --- Top Contributors [![stefandanaita](https://avatars.githubusercontent.com/u/9030768?v=4)](https://github.com/stefandanaita "stefandanaita (6 commits)")[![lighe](https://avatars.githubusercontent.com/u/1301561?v=4)](https://github.com/lighe "lighe (3 commits)")[![Couper4](https://avatars.githubusercontent.com/u/40429634?v=4)](https://github.com/Couper4 "Couper4 (2 commits)")[![tl-alex-butler2](https://avatars.githubusercontent.com/u/129957254?v=4)](https://github.com/tl-alex-butler2 "tl-alex-butler2 (1 commits)")[![lboynton](https://avatars.githubusercontent.com/u/98873?v=4)](https://github.com/lboynton "lboynton (1 commits)")[![denisacorbu1810](https://avatars.githubusercontent.com/u/58371400?v=4)](https://github.com/denisacorbu1810 "denisacorbu1810 (1 commits)")[![artyom-jaksov-tl](https://avatars.githubusercontent.com/u/171248816?v=4)](https://github.com/artyom-jaksov-tl "artyom-jaksov-tl (1 commits)") --- Tags signingJWStruelayer ### Code Quality TestsPest Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/truelayer-signing/health.svg) ``` [![Health](https://phpackages.com/badges/truelayer-signing/health.svg)](https://phpackages.com/packages/truelayer-signing) ``` ### Alternatives [phpseclib/phpseclib PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. 5.6k434.8M1.3k](/packages/phpseclib-phpseclib)[br/signed-request-bundle Symfony2 Bundle that provides request and response signing 161.7k](/packages/br-signed-request-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)