PHPackages                             xapps-platform/xapps-php - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. xapps-platform/xapps-php

ActiveLibrary

xapps-platform/xapps-php
========================

PHP SDK for Xapps publisher/tenant backend integrations

v0.1.1(1mo ago)00MITPHPPHP ^8.2

Since Mar 24Pushed 1mo agoCompare

[ Source](https://github.com/0x730/xapps-php)[ Packagist](https://packagist.org/packages/xapps-platform/xapps-php)[ Docs](https://gateway.0x730.com)[ RSS](/packages/xapps-platform-xapps-php/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (7)DependenciesVersions (3)Used By (0)

xapps-platform/xapps-php
========================

[](#xapps-platformxapps-php)

PHP helper SDK for tenant/publisher backend integrations.

Install
-------

[](#install)

```
composer require xapps-platform/xapps-php
```

Use `xapps-platform/xapps-php` when you want lower-level PHP primitives for gateway, callback, payment-return, or publisher-admin flows.

If you want a higher-level packaged backend contract with default routes and mode assembly, use `xapps-platform/xapps-backend-kit` instead.

Scope (MVP)
-----------

[](#scope-mvp)

- Dispatch payload parsing (`Xapps\\Dispatch::parseRequest`)
- Request signature verification (`Xapps\\Signature::verifyXappsSignature`)
- Callback client for `/v1/requests/:id/events|complete` (`Xapps\\CallbackClient`)
- Payment-return parse/sign/verify helpers (`Xapps\\PaymentReturn`)
- Provider credential bundle helpers (`Xapps\\PaymentProviderCredentials`)
- Managed gateway session shaping helpers (`Xapps\\ManagedGatewayPaymentSession`)
- Hosted gateway payment bootstrap helper (`Xapps\\HostedGatewayPaymentSession`)
- Payment policy support helpers (`Xapps\\PaymentPolicySupport`)
- Gateway client for host backends (API key and/or bearer token), including payment-session helpers and request-widget bootstrap verification (`Xapps\\GatewayClient`)
- Publisher admin API client for publisher backends (`Xapps\\PublisherApiClient`), including `listClients()`, publisher linking helpers, and bridge-token exchange parity with `@xapps-platform/server-sdk`
- Typed SDK exceptions (`Xapps\\XappsSdkError`) for callback/gateway networking + argument validation
- Unified subject-proof verifier surface (`Xapps\\SubjectProof`) via injected verifier adapters

Local path install during monorepo development
----------------------------------------------

[](#local-path-install-during-monorepo-development)

```
{
  "repositories": [
    {
      "type": "path",
      "url": "../../../../packages/xapps-php",
      "options": { "symlink": true }
    }
  ],
  "require": {
    "xapps-platform/xapps-php": "*@dev"
  }
}
```

Then:

```
composer update xapps-platform/xapps-php
```

Supported distribution modes
----------------------------

[](#supported-distribution-modes)

Current supported ways to consume `xapps-platform/xapps-php`:

1. Local/path package during monorepo development
2. Packagist-facing split package mirror and/or VCS package from the public package mirror, pinned to an approved tag for integrator environments

Current release model:

- `0x730/xapps-sdk-php` is the public PHP source/control-plane repo
- package distribution is intended to happen through split package mirrors:
    - `0x730/xapps-php`
    - `0x730/xapps-backend-kit-php`
- Packagist should point to those split package mirrors, not the raw multi-package source repo

Example VCS package install:

```
{
  "repositories": [
    {
      "type": "vcs",
      "url": ""
    }
  ],
  "require": {
    "xapps-platform/xapps-php": "dev-xpo#"
  }
}
```

Practical rule for integrators:

- pin to an approved tag or commit, not a floating branch
- treat monorepo tags/commits as the source of truth for release provenance
- run `composer test` or `php packages/xapps-php/test/run.php` against the pinned version during integration sign-off

Verify locally
--------------

[](#verify-locally)

Smoke check:

```
php packages/xapps-php/examples/smoke/smoke.php
```

Direct local package verification:

```
php packages/xapps-php/test/run.php
```

Or via Composer inside `packages/xapps-php`:

```
composer test
composer smoke
```

Payment-return parity regression (golden vector vs Node SDK contract):

```
php packages/xapps-php/examples/payment-return/parity.php
```

Managed gateway session examples:

```
php packages/xapps-php/examples/managed-gateway-session/tenant.php
php packages/xapps-php/examples/managed-gateway-session/publisher.php
```

Minimal host proxy example:

```
php packages/xapps-php/examples/host-proxy/minimal.php
```

Request-widget bootstrap verification helper:

```
$verified = $gateway->verifyBrowserWidgetContext([
    'hostOrigin' => 'https://tenant.example.test',
    'installationId' => 'inst_123',
    'bindToolName' => 'submit_form',
    'subjectId' => 'sub_123',
    'bootstrapTicket' => 'bst_123',
]);
```

Recommended request-widget posture:

- keep the publisher widget asset URL as a public/bootstrap shell
- block request-capable runtime until the short-lived widget token and context are verified server-side
- do not put secrets or durable tokens in the manifest URL
- direct raw browser hits should stay blocked instead of unlocking private request/runtime behavior

Optional stronger bootstrap transport already supported:

- `widgets[].config.xapps.bootstrap_transport = "signed_ticket"`
- current first slice reuses the short-lived signed widget token as a bootstrap ticket and carries it in the iframe URL hash
- browser widget code can forward it to the backend as `bootstrapTicket`
- `GatewayClient::verifyBrowserWidgetContext(...)` accepts both:
    - `bootstrapTicket`
    - `bootstrap_ticket`

Publisher linking + bridge helpers:

```
$publisher = new PublisherApiClient('http://localhost:3000', 'publisher-api-key');
$publisher->completeLink([
    'subjectId' => 'sub_123',
    'xappId' => 'xapp_123',
    'publisherUserId' => 'publisher-user-123',
    'metadata' => ['email' => 'user@example.test'],
]);

$status = $publisher->getLinkStatus();
$bridge = $publisher->exchangeBridgeToken([
    'publisher_id' => 'pub_123',
    'scopes' => ['publisher.api:read'],
]);
```

Higher-level tenant/publisher backend kits are intentionally not part of the current supported PHP SDK surface. The next redesign for that layer will start from backend `lib/` and `modes/`, not from route-wrapper aliases.

XPO-Core fixture conformance check (`P1`-`P5`, `N1`-`N7` payment-return vectors):

```
php packages/xapps-php/examples/payment-return/xpo-core-fixtures.php
```

Note: replay fixture handling (`N3`) is evaluated at the runner layer to model gateway/runtime replay protection semantics above pure signature verification.

Live local smoke (gateway + optional callback roundtrip):

```
XAPPS_SMOKE_BASE_URL=http://localhost:3000 \
XAPPS_SMOKE_API_KEY=xapps_test_tenant_b_key_123456789 \
php packages/xapps-php/examples/smoke/live.php
```

Optional callback leg:

```
XAPPS_SMOKE_BASE_URL=http://localhost:3000 \
XAPPS_SMOKE_API_KEY=xapps_test_tenant_b_key_123456789 \
XAPPS_SMOKE_CALLBACK_TOKEN='' \
XAPPS_SMOKE_REQUEST_ID='' \
php packages/xapps-php/examples/smoke/live.php
```

Usage
-----

[](#usage)

```