auth0-php-api
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuth0 PHP API Integration
Auth0 PHP API 集成
Protect PHP API endpoints with JWT access token validation using in API mode ().
auth0/auth0-phpSTRATEGY_API使用 的API模式(),通过JWT访问令牌验证来保护PHP API端点。
auth0/auth0-phpSTRATEGY_APIPrerequisites
前置条件
- PHP 8.2+ with extensions: ,
mbstring,openssljson - Composer installed
- Auth0 API resource configured (not an Application - must be an API)
- If you don't have Auth0 set up yet, use the skill first
auth0-quickstart
- PHP 8.2+ 及扩展:、
mbstring、openssljson - 已安装 Composer
- 已配置 Auth0 API 资源(不是应用程序,必须是API)
- 如果尚未设置 Auth0,请先使用 技能
auth0-quickstart
When NOT to Use
不适用于以下场景
- PHP web applications with login/logout flows - Use for session-based authentication
auth0-php - Laravel applications - Use which has built-in API guard support
auth0/laravel-auth0 - Symfony applications - Use with its security bundle
auth0/symfony - Single Page Applications - Use ,
auth0-react, orauth0-vuefor client-side authauth0-angular - Issuing tokens - This skill is for validating access tokens, not issuing them
- 带有登录/登出流程的PHP Web应用 - 使用 进行基于会话的身份验证
auth0-php - Laravel 应用 - 使用 ,它内置了API守卫支持
auth0/laravel-auth0 - Symfony 应用 - 使用 及其安全 bundle
auth0/symfony - 单页应用(SPA) - 使用 、
auth0-react或auth0-vue进行客户端身份验证auth0-angular - 签发令牌 - 本技能用于验证访问令牌,而非签发令牌
Quick Start Workflow
快速开始流程
1. Install SDK
1. 安装SDK
bash
composer require auth0/auth0-php vlucas/phpdotenv guzzlehttp/guzzle guzzlehttp/psr7 "symfony/cache:^7.0"- - The Auth0 SDK (v8.x)
auth0/auth0-php - - Load
vlucas/phpdotenvfiles into.env$_ENV - +
guzzlehttp/guzzle- PSR-18 HTTP client required by the SDKguzzlehttp/psr7 - - PSR-6 cache for JWKS key caching (recommended for production)
symfony/cache
bash
composer require auth0/auth0-php vlucas/phpdotenv guzzlehttp/guzzle guzzlehttp/psr7 "symfony/cache:^7.0"- - Auth0 SDK(v8.x版本)
auth0/auth0-php - - 将
vlucas/phpdotenv文件加载到.env中$_ENV - +
guzzlehttp/guzzle- SDK所需的PSR-18 HTTP客户端guzzlehttp/psr7 - - 用于JWKS密钥缓存的PSR-6缓存(生产环境推荐使用)
symfony/cache
2. Create Auth0 API
2. 创建Auth0 API
You need an API (not Application) in Auth0.
STOP - ask the user before proceeding.Ask exactly this question and wait for their answer before doing anything else:"How would you like to create the Auth0 API resource?
- Automated - I'll run Auth0 CLI scripts that create the resource and write the exact values to your
automatically..env- Manual - You create the API yourself in the Auth0 Dashboard (or via
) and provide me the Domain and Audience.auth0 apis createWhich do you prefer? (1 = Automated / 2 = Manual)"Do NOT proceed to any setup steps until the user has answered. Do NOT default to manual.
If the user chose Automated, follow the Setup Guide for complete CLI scripts. The automated path writes for you - skip Step 3 below and proceed directly to Step 4.
.envIf the user chose Manual, follow the Setup Guide (Manual Setup section) for full instructions. Then continue with Step 3 below.
Quick reference for manual API creation:
bash
undefined你需要在Auth0中创建一个API(不是应用程序)。
暂停 - 继续前请询问用户。请准确询问以下问题,等待用户回答后再进行下一步:"你希望如何创建Auth0 API资源?
- 自动化 - 我将运行Auth0 CLI脚本创建资源,并自动将准确值写入你的
文件。.env- 手动 - 你在Auth0控制台自行创建API(或通过
命令),并提供Domain和Audience。auth0 apis create你偏好哪种方式?(1 = 自动化 / 2 = 手动)"在用户回答前,请勿进行任何设置步骤。请勿默认选择手动方式。
如果用户选择自动化,请遵循设置指南中的完整CLI脚本。自动化流程会为你写入 文件 - 跳过下方的步骤3,直接进入步骤4。
.env如果用户选择手动,请遵循设置指南(手动设置章节)中的完整说明。然后继续下方的步骤3。
手动创建API的快速参考:
bash
undefinedUsing Auth0 CLI
使用Auth0 CLI
Or create manually in Auth0 Dashboard -> Applications -> APIs
或者在Auth0控制台手动创建 -> 应用程序 -> APIs3. Configure Environment
3. 配置环境变量
Create :
.envbash
AUTH0_DOMAIN=your-tenant.us.auth0.com
AUTH0_AUDIENCE=https://your-api.example.comAUTH0_DOMAINhttps://AUTH0_AUDIENCE创建 文件:
.envbash
AUTH0_DOMAIN=your-tenant.us.auth0.com
AUTH0_AUDIENCE=https://your-api.example.comAUTH0_DOMAINhttps://AUTH0_AUDIENCE4. Initialize Auth0 in API Mode
4. 以API模式初始化Auth0
Create to initialize the SDK:
auth0.phpphp
<?php
require 'vendor/autoload.php';
use Auth0\SDK\Auth0;
use Auth0\SDK\Configuration\SdkConfiguration;
use Symfony\Component\Cache\Adapter\FilesystemAdapter;
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();
$configuration = new SdkConfiguration(
strategy: SdkConfiguration::STRATEGY_API,
domain: $_ENV['AUTH0_DOMAIN'],
clientId: null,
audience: [$_ENV['AUTH0_AUDIENCE']],
tokenAlgorithm: 'RS256',
tokenCache: new FilesystemAdapter('auth0_jwks', 600, __DIR__ . '/var/cache'),
tokenCacheTtl: 600,
);
$auth0 = new Auth0($configuration);Key differences from web app mode:
- - stateless, no sessions or cookies
STRATEGY_API - is not required for RS256 validation (only needed for HS256)
clientId - accepts an array of allowed audience strings
audience - is a PSR-6
tokenCachefor JWKS cachingCacheItemPoolInterface
创建 文件来初始化SDK:
auth0.phpphp
<?php
require 'vendor/autoload.php';
use Auth0\SDK\Auth0;
use Auth0\SDK\Configuration\SdkConfiguration;
use Symfony\Component\Cache\Adapter\FilesystemAdapter;
$dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
$dotenv->load();
$configuration = new SdkConfiguration(
strategy: SdkConfiguration::STRATEGY_API,
domain: $_ENV['AUTH0_DOMAIN'],
clientId: null,
audience: [$_ENV['AUTH0_AUDIENCE']],
tokenAlgorithm: 'RS256',
tokenCache: new FilesystemAdapter('auth0_jwks', 600, __DIR__ . '/var/cache'),
tokenCacheTtl: 600,
);
$auth0 = new Auth0($configuration);与Web应用模式的主要区别:
- - 无状态,无会话或Cookie
STRATEGY_API - RS256验证不需要 (仅HS256需要)
clientId - 接受允许的受众字符串数组
audience - 是用于JWKS缓存的PSR-6
tokenCacheCacheItemPoolInterface
5. Create Middleware Function
5. 创建中间件函数
Since the SDK does not include a built-in middleware, create a reusable guard function. Create :
middleware.phpphp
<?php
use Auth0\SDK\Auth0;
use Auth0\SDK\Token;
use Auth0\SDK\Exception\InvalidTokenException;
function requireAuth(Auth0 $auth0, ?array $requiredScopes = null): array
{
$token = $auth0->getBearerToken(
server: ['HTTP_AUTHORIZATION']
);
if ($token === null) {
http_response_code(401);
header('Content-Type: application/json');
echo json_encode(['error' => 'unauthorized', 'message' => 'Missing or invalid Bearer token']);
exit;
}
$claims = $token->toArray();
if ($requiredScopes !== null) {
$grantedScopes = isset($claims['scope']) ? explode(' ', $claims['scope']) : [];
$missingScopes = array_diff($requiredScopes, $grantedScopes);
if (!empty($missingScopes)) {
http_response_code(403);
header('Content-Type: application/json');
echo json_encode(['error' => 'insufficient_scope', 'message' => 'Token lacks required scopes']);
exit;
}
}
return $claims;
}getBearerToken()server$_SERVER['HTTP_AUTHORIZATION']$_SERVERTokenInterfacenull由于SDK不包含内置中间件,创建一个可复用的守卫函数。创建 文件:
middleware.phpphp
<?php
use Auth0\SDK\Auth0;
use Auth0\SDK\Token;
use Auth0\SDK\Exception\InvalidTokenException;
function requireAuth(Auth0 $auth0, ?array $requiredScopes = null): array
{
$token = $auth0->getBearerToken(
server: ['HTTP_AUTHORIZATION']
);
if ($token === null) {
http_response_code(401);
header('Content-Type: application/json');
echo json_encode(['error' => 'unauthorized', 'message' => '缺少或无效的Bearer令牌']);
exit;
}
$claims = $token->toArray();
if ($requiredScopes !== null) {
$grantedScopes = isset($claims['scope']) ? explode(' ', $claims['scope']) : [];
$missingScopes = array_diff($requiredScopes, $grantedScopes);
if (!empty($missingScopes)) {
http_response_code(403);
header('Content-Type: application/json');
echo json_encode(['error' => 'insufficient_scope', 'message' => '令牌缺少所需权限范围']);
exit;
}
}
return $claims;
}getBearerToken()server$_SERVER['HTTP_AUTHORIZATION']$_SERVERTokenInterfacenull6. Create API Routes
6. 创建API路由
Create as a front controller:
index.phpphp
<?php
require 'auth0.php';
require 'middleware.php';
$method = $_SERVER['REQUEST_METHOD'];
$path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
header('Content-Type: application/json');
switch ($path) {
case '/api/public':
echo json_encode(['message' => 'Public endpoint - no authentication required']);
break;
case '/api/private':
$claims = requireAuth($auth0);
echo json_encode(['message' => 'Private endpoint', 'sub' => $claims['sub']]);
break;
case '/api/private-scoped':
$claims = requireAuth($auth0, ['read:messages']);
echo json_encode(['messages' => [], 'sub' => $claims['sub']]);
break;
default:
http_response_code(404);
echo json_encode(['error' => 'not_found']);
break;
}创建 作为前端控制器:
index.phpphp
<?php
require 'auth0.php';
require 'middleware.php';
$method = $_SERVER['REQUEST_METHOD'];
$path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
header('Content-Type: application/json');
switch ($path) {
case '/api/public':
echo json_encode(['message' => '公开端点 - 无需身份验证']);
break;
case '/api/private':
$claims = requireAuth($auth0);
echo json_encode(['message' => '私有端点', 'sub' => $claims['sub']]);
break;
case '/api/private-scoped':
$claims = requireAuth($auth0, ['read:messages']);
echo json_encode(['messages' => [], 'sub' => $claims['sub']]);
break;
default:
http_response_code(404);
echo json_encode(['error' => 'not_found']);
break;
}7. Access Token Claims
7. 访问令牌声明
The decoded JWT claims are returned as an associative array:
php
$claims = requireAuth($auth0);
$userId = $claims['sub']; // user/client ID
$scopes = $claims['scope']; // space-separated granted scopes
$issuer = $claims['iss']; // issuer (your Auth0 domain URL)
$audience = $claims['aud']; // audience (string or array)
$expiration = $claims['exp']; // expiration timestampYou can also use the object's typed accessor methods:
Tokenphp
$token = $auth0->getBearerToken(server: ['HTTP_AUTHORIZATION']);
if ($token !== null) {
$subject = $token->getSubject(); // returns ?string
$issuer = $token->getIssuer(); // returns ?string
$audience = $token->getAudience(); // returns ?array
$expiration = $token->getExpiration(); // returns ?int
}解码后的JWT声明以关联数组形式返回:
php
$claims = requireAuth($auth0);
$userId = $claims['sub']; // 用户/客户端ID
$scopes = $claims['scope']; // 空格分隔的已授权权限范围
$issuer = $claims['iss']; // 签发者(你的Auth0域名URL)
$audience = $claims['aud']; // 受众(字符串或数组)
$expiration = $claims['exp']; // 过期时间戳你也可以使用 对象的类型化访问器方法:
Tokenphp
$token = $auth0->getBearerToken(server: ['HTTP_AUTHORIZATION']);
if ($token !== null) {
$subject = $token->getSubject(); // 返回 ?string
$issuer = $token->getIssuer(); // 返回 ?string
$audience = $token->getAudience(); // 返回 ?array
$expiration = $token->getExpiration(); // 返回 ?int
}8. Add CORS Headers
8. 添加CORS头
When your API receives requests from a browser-based SPA, add CORS headers. Create :
cors.phpphp
<?php
function handleCors(array $allowedOrigins): void
{
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (in_array($origin, $allowedOrigins, true)) {
header("Access-Control-Allow-Origin: $origin");
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Authorization, Content-Type');
header('Access-Control-Max-Age: 86400');
}
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
http_response_code(204);
exit;
}
}Then add these lines at the top of , before the existing line:
index.phprequire 'auth0.php'php
require 'cors.php';
handleCors(['https://your-spa-domain.com']);The updated head should be:
index.phpphp
<?php
require 'cors.php';
handleCors(['https://your-spa-domain.com']);
require 'auth0.php';
require 'middleware.php';
// ... rest of index.phpCORS must be handled before auth so that preflight requests short-circuit without triggering token validation.
OPTIONS当你的API接收来自浏览器端SPA的请求时,添加CORS头。创建 文件:
cors.phpphp
<?php
function handleCors(array $allowedOrigins): void
{
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (in_array($origin, $allowedOrigins, true)) {
header("Access-Control-Allow-Origin: $origin");
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Authorization, Content-Type');
header('Access-Control-Max-Age: 86400');
}
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
http_response_code(204);
exit;
}
}然后在 的顶部添加以下代码,放在现有的 之前:
index.phprequire 'auth0.php'php
require 'cors.php';
handleCors(['https://your-spa-domain.com']);更新后的 头部应为:
index.phpphp
<?php
require 'cors.php';
handleCors(['https://your-spa-domain.com']);
require 'auth0.php';
require 'middleware.php';
// ... index.php 的其余部分CORS必须在身份验证之前处理,以便预请求 在触发令牌验证前提前结束。
OPTIONS9. Test the API
9. 测试API
Agent instruction: Start the PHP built-in server and verify the basic endpoints work without credentials:bashphp -S localhost:8000 index.php & sleep 1 curl -s http://localhost:8000/api/public curl -s -o /dev/null -w "%{http_code}" http://localhost:8000/api/private
should return/api/public{"message":"Public endpoint - no authentication required"} should return HTTP 401/api/privateIf both pass, the middleware is working. Kill the background server when done:bashkill %1 2>/dev/nullFailcheck: If the server fails to start orerrors, check for PHP syntax issues or missing/api/public. After 5-6 failed iterations, use.envto ask the user for more details about their environment.AskUserQuestion
Agent instruction: STOP - ask after basic tests pass.Once public/401 tests pass, ask the user:"Your API is set up and the middleware is working (public returns 200, private returns 401 without a token). Would you like me to help you set up testing with a real access token?
- Yes - I'll help you configure an M2M application to get test tokens.
- No - I'm done for now.
Which do you prefer?"Do NOT proceed with M2M/token setup unless the user says yes. If they say no, summarize what was done and stop.
Agent instruction (M2M app setup - only if user wants testing):If the user chose to set up testing, ask:"To test your protected endpoints, you need a Machine-to-Machine (M2M) application authorized to request tokens for this API.
- Create new - I'll create a new M2M application and authorize it for this API.
- Use existing - You already have an M2M application. Provide the Client ID and I'll authorize it for this API.
Which do you prefer? (1 = Create new / 2 = Use existing)"Do NOT proceed until the user answers. Do NOT silently pick an existing application from the tenant.If the user chose "Create new":bashauth0 apps create \ --name "${PWD##*/} (Test App)" \ --type m2m \ --no-input --jsonParse the JSON withto extractjq. Do NOT useclient_id- never expose client secrets in agent context. Then create a client grant:--reveal-secretsbashauth0 api post "client-grants" --data '{ "client_id": "<CLIENT_ID>", "audience": "<API_IDENTIFIER>", "scope": ["<SCOPES>"] }'If the user chose "Use existing": Ask for the Client ID. Then create a client grant to authorize it for this API:bashauth0 api post "client-grants" --data '{ "client_id": "<USER_PROVIDED_CLIENT_ID>", "audience": "<API_IDENTIFIER>", "scope": ["<SCOPES>"] }'If the grant already exists (409 conflict), that's fine - the app is already authorized.
Agent instruction (TOKEN ISOLATION - CRITICAL):The agent MUST NEVER directly see or display access token values. Token security rules:
- Do NOT run
on its own - it outputs the token to stdoutauth0 test token- Do NOT ask the user to paste their token into the conversation
- Do NOT echo, print, or log the token value
- Do NOT store the token in a file
Secure testing approach (single-command chain):If the user explicitly asks to test the protected endpoints, use a single-command chain that captures the token into a shell variable and immediately uses it:bashphp -S localhost:8000 index.php & sleep 1 TEST_TOKEN=$(auth0 test token <M2M_CLIENT_ID> --audience <AUDIENCE> --scopes <SCOPE1,SCOPE2> 2>/dev/null | grep -o 'ey[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*') && \ [ -n "$TEST_TOKEN" ] && echo "Token acquired (${#TEST_TOKEN} chars)" && \ echo "=== GET /api/private ===" && \ curl -s http://localhost:8000/api/private -H "Authorization: Bearer $TEST_TOKEN" && \ echo "" && echo "=== GET /api/private-scoped ===" && \ curl -s http://localhost:8000/api/private-scoped -H "Authorization: Bearer $TEST_TOKEN" kill %1 2>/dev/nullRules:
- ONLY use when the user explicitly asks to test
- Always chain token acquisition + curl in a SINGLE
command&&- NEVER add
or any command that would print the raw token valueecho $TEST_TOKEN- If the token acquisition fails (empty variable), report that the M2M app may not be authorized
- Client ID is REQUIRED - if M2M setup was not completed, ask the user first
If the user does NOT ask to test, just provide the commands for them to run manually:auth0 test token <CLIENT_ID> --audience <AUDIENCE> --scopes <SCOPE1,SCOPE2> curl http://localhost:8000/api/private -H "Authorization: Bearer <PASTE_TOKEN_HERE>"
Start the server:
bash
php -S localhost:8000 index.phpTest public endpoint (no token needed):
bash
curl http://localhost:8000/api/publicTest protected endpoint without token (should return 401):
bash
curl http://localhost:8000/api/privateTest protected endpoint with token:
bash
curl http://localhost:8000/api/private \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Test scoped endpoint:
bash
curl http://localhost:8000/api/private-scoped \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Get a test token via Auth0 Dashboard -> APIs -> Test tab, or via the M2M flow described above.
Agent指令: 启动PHP内置服务器,验证基础端点在无凭据情况下是否正常工作:bashphp -S localhost:8000 index.php & sleep 1 curl -s http://localhost:8000/api/public curl -s -o /dev/null -w "%{http_code}" http://localhost:8000/api/private
应返回/api/public{"message":"公开端点 - 无需身份验证"} 应返回HTTP 401/api/private如果两者都通过,说明中间件工作正常。完成后终止后台服务器:bashkill %1 2>/dev/null故障检查: 如果服务器无法启动或报错,请检查PHP语法问题或缺失的/api/public文件。经过5-6次失败尝试后,使用.env询问用户更多关于其环境的细节。AskUserQuestion
Agent指令:基础测试通过后暂停并询问用户。一旦公开端点/401测试通过,请询问用户:"你的API已设置完成,中间件工作正常(公开端点返回200,无令牌时私有端点返回401)。你是否需要我帮助你设置使用真实访问令牌的测试?
- 是 - 我将帮助你配置M2M应用以获取测试令牌。
- 否 - 我已完成当前操作。
你偏好哪种方式?"除非用户同意,否则请勿进行M2M/令牌设置。如果用户选择否,总结已完成的操作并停止。
Agent指令(仅当用户需要测试时才进行M2M应用设置):如果用户选择设置测试,请询问:"要测试受保护的端点,你需要一个被授权为此API请求令牌的机器到机器(M2M)应用。
- 创建新应用 - 我将创建一个新的M2M应用并授权其访问此API。
- 使用现有应用 - 你已有M2M应用,请提供客户端ID,我将授权其访问此API。
你偏好哪种方式?(1 = 创建新 / 2 = 使用现有)"在用户回答前请勿继续。请勿从租户中静默选择现有应用。如果用户选择"创建新应用":bashauth0 apps create \ --name "${PWD##*/} (Test App)" \ --type m2m \ --no-input --json使用解析JSON以提取jq。请勿使用client_id- 切勿在Agent上下文中暴露客户端密钥。 然后创建客户端授权:--reveal-secretsbashauth0 api post "client-grants" --data '{ "client_id": "<CLIENT_ID>", "audience": "<API_IDENTIFIER>", "scope": ["<SCOPES>"] }'如果用户选择"使用现有应用": 请求用户提供客户端ID。然后创建客户端授权以允许其访问此API:bashauth0 api post "client-grants" --data '{ "client_id": "<USER_PROVIDED_CLIENT_ID>", "audience": "<API_IDENTIFIER>", "scope": ["<SCOPES>"] }'如果授权已存在(409冲突),无需处理 - 应用已被授权。
Agent指令(令牌隔离 - 关键):Agent绝对不能直接查看或显示访问令牌值。令牌安全规则:
- 请勿单独运行
- 它会将令牌输出到标准输出auth0 test token- 请勿要求用户将令牌粘贴到对话中
- 请勿回显、打印或记录令牌值
- 请勿将令牌存储在文件中
安全测试方法(单命令链):如果用户明确要求测试受保护的端点,请使用单命令链将令牌捕获到shell变量中并立即使用:bashphp -S localhost:8000 index.php & sleep 1 TEST_TOKEN=$(auth0 test token <M2M_CLIENT_ID> --audience <AUDIENCE> --scopes <SCOPE1,SCOPE2> 2>/dev/null | grep -o 'ey[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*') && \ [ -n "$TEST_TOKEN" ] && echo "已获取令牌(${#TEST_TOKEN} 字符)" && \ echo "=== GET /api/private ===" && \ curl -s http://localhost:8000/api/private -H "Authorization: Bearer $TEST_TOKEN" && \ echo "" && echo "=== GET /api/private-scoped ===" && \ curl -s http://localhost:8000/api/private-scoped -H "Authorization: Bearer $TEST_TOKEN" kill %1 2>/dev/null规则:
- 仅在用户明确要求测试时使用
- 始终将令牌获取+curl放在单个
命令链中&&- 切勿添加
或任何会打印原始令牌值的命令echo $TEST_TOKEN- 如果令牌获取失败(变量为空),报告M2M应用可能未被授权
- 必须提供客户端ID - 如果未完成M2M设置,请先询问用户
如果用户未要求测试,仅提供供他们手动运行的命令:auth0 test token <CLIENT_ID> --audience <AUDIENCE> --scopes <SCOPE1,SCOPE2> curl http://localhost:8000/api/private -H "Authorization: Bearer <PASTE_TOKEN_HERE>"
启动服务器:
bash
php -S localhost:8000 index.php测试公开端点(无需令牌):
bash
curl http://localhost:8000/api/public测试无令牌的受保护端点(应返回401):
bash
curl http://localhost:8000/api/private使用令牌测试受保护端点:
bash
curl http://localhost:8000/api/private \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"测试带权限范围的端点:
bash
curl http://localhost:8000/api/private-scoped \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"通过Auth0控制台 -> APIs -> 测试选项卡,或上述M2M流程获取测试令牌。
Common Mistakes
常见错误
| Mistake | Fix |
|---|---|
Hardcoding | Always read from environment variables - never embed credentials in code |
Using | API mode must use |
| Installing without a PSR-18 HTTP client | Must have |
| Not caching JWKS keys | Without a PSR-6 cache, the SDK fetches JWKS on every request - always configure |
Passing | |
Passing | |
Using | Always pass |
| Echoing exception messages to users | Use |
| Using an ID token instead of an access token | Must use the access token for API auth - ID tokens are for the client app |
| Created an Application instead of an API in Auth0 | Must create an API resource (Applications -> APIs) - an Application doesn't issue access tokens with the right audience |
Setting | For RS256, |
Using | |
Passing | The |
| 错误 | 修复方案 |
|---|---|
在代码中硬编码 | 始终从环境变量读取 - 切勿在代码中嵌入凭据 |
为API使用 | API模式必须使用 |
| 安装时未包含PSR-18 HTTP客户端 | 必须安装 |
| 未缓存JWKS密钥 | 没有PSR-6缓存时,SDK会在每次请求时获取JWKS - 始终配置 |
将 | |
将 | |
调用 | 手动调用 |
| 向用户回显异常消息 | 使用 |
| 使用ID令牌而非访问令牌 | API身份验证必须使用访问令牌 - ID令牌用于客户端应用 |
| 在Auth0中创建了应用程序而非API | 必须创建API资源(应用程序 -> APIs)- 应用程序不会签发具有正确受众的访问令牌 |
设置了 | 对于RS256, |
使用 | |
将 | |
Key SDK Methods
关键SDK方法
| Method | Returns | Purpose |
|---|---|---|
| | Searches specified |
| | Manually decodes and validates a JWT string |
| | Access the SDK configuration instance |
| | Returns all token claims as an associative array |
| | Returns the |
| | Returns the |
| | Returns the |
| | Returns the |
| 方法 | 返回值 | 用途 |
|---|---|---|
| | 在指定的 |
| | 手动解码并验证JWT字符串 |
| | 访问SDK配置实例 |
| | 返回所有令牌声明的关联数组 |
| | 返回 |
| | 返回 |
| | 返回 |
| | 返回 |
Related Skills
相关技能
- - For PHP web apps with login/logout using session-based auth
auth0-php - - Basic Auth0 setup and framework detection
auth0-quickstart - - Manage Auth0 resources from the terminal
auth0-cli - - Add Multi-Factor Authentication
auth0-mfa
- - 用于带有登录/登出功能的PHP Web应用,基于会话的身份验证
auth0-php - - 基础Auth0设置和框架检测
auth0-quickstart - - 从终端管理Auth0资源
auth0-cli - - 添加多因素身份验证
auth0-mfa
Quick Reference
快速参考
SdkConfiguration for APIs:
php
$configuration = new SdkConfiguration(
strategy: SdkConfiguration::STRATEGY_API, // required - stateless mode
domain: $_ENV['AUTH0_DOMAIN'], // required
audience: [$_ENV['AUTH0_AUDIENCE']], // required - array of identifiers
tokenAlgorithm: 'RS256', // default
tokenCache: $psrCacheAdapter, // recommended for production
tokenCacheTtl: 600, // JWKS cache TTL in seconds
);Token validation:
php
$token = $auth0->getBearerToken(server: ['HTTP_AUTHORIZATION']); // returns ?TokenInterface
$claims = $token->toArray(); // all claims as array
$userId = $token->getSubject(); // sub claimManual decode:
php
use Auth0\SDK\Token;
$token = $auth0->decode(
$jwtString,
tokenType: Token::TYPE_ACCESS_TOKEN,
);Environment variables:
- - your Auth0 tenant domain (e.g.
AUTH0_DOMAIN)tenant.us.auth0.com - - your API identifier (e.g.
AUTH0_AUDIENCE)https://api.example.com
Common Use Cases:
- Protect routes -> (see Step 5)
requireAuth($auth0) - Scope enforcement -> (see Step 5)
requireAuth($auth0, ['read:messages']) - CORS setup -> Integration Guide
- Multi-audience validation -> Integration Guide
- Advanced configuration -> API Reference
API模式的SdkConfiguration:
php
$configuration = new SdkConfiguration(
strategy: SdkConfiguration::STRATEGY_API, // 必填 - 无状态模式
domain: $_ENV['AUTH0_DOMAIN'], // 必填
audience: [$_ENV['AUTH0_AUDIENCE']], // 必填 - 标识符数组
tokenAlgorithm: 'RS256', // 默认值
tokenCache: $psrCacheAdapter, // 生产环境推荐
tokenCacheTtl: 600, // JWKS缓存TTL(秒)
);令牌验证:
php
$token = $auth0->getBearerToken(server: ['HTTP_AUTHORIZATION']); // 返回 ?TokenInterface
$claims = $token->toArray(); // 所有声明的数组形式
$userId = $token->getSubject(); // sub声明手动解码:
php
use Auth0\SDK\Token;
$token = $auth0->decode(
$jwtString,
tokenType: Token::TYPE_ACCESS_TOKEN,
);环境变量:
- - 你的Auth0租户域名(例如
AUTH0_DOMAIN)tenant.us.auth0.com - - 你的API标识符(例如
AUTH0_AUDIENCE)https://api.example.com
常见用例:
- 保护路由 -> (见步骤5)
requireAuth($auth0) - 权限范围强制 -> (见步骤5)
requireAuth($auth0, ['read:messages']) - CORS设置 -> 集成指南
- 多受众验证 -> 集成指南
- 高级配置 -> API参考
Detailed Documentation
详细文档
- Setup Guide - Auth0 CLI setup, environment configuration, getting test tokens
- Integration Guide - Scopes, permissions, middleware, multi-audience, CORS, error handling
- API Reference - Complete SDK API for API mode, configuration options, token methods
- 设置指南 - Auth0 CLI设置、环境配置、获取测试令牌
- 集成指南 - 权限范围、权限、中间件、多受众、CORS、错误处理
- API参考 - API模式的完整SDK API、配置选项、令牌方法