Dependency-free authentication and authorization core for PHP.
AuthLayer owns authentication and authorization orchestration, domain contracts, value objects, decisions, audit events, and notification intents.
AuthLayer does not implement or require concrete:
- password hashing
- token signing or encryption
- OTP algorithms
- database persistence
- cache backends
- notification delivery
- HTTP or framework runtime integration
Those concerns belong in bridge packages.
- Composer:
infocyph/auth-layer - Namespace:
Infocyph\AuthLayer - PHP:
>=8.4
AuthLayer currently provides source modules for:
- accounts and principals
- login and logout orchestration
- sessions and remember-me
- password reset and password change
- email verification
- passwordless flows
- access and refresh token lifecycle
- MFA orchestration
- passkey orchestration
- authorization gates and permission authorizers
- delegation and grants
- device trust and lockout
- audit events and notification intents
- in-memory support stores
- local clock, ID, and security contracts
The package contains:
- concrete contracts and DTOs
- orchestration managers
- in-memory stores for development and testing
- Pest coverage across the main library surface
- PhpBench benchmarks for core authentication, authorization, and support paths
Framework adapters, transport integrations, and concrete crypto or OTP implementations are intentionally out of scope for this package.