Vault
in package
Table of Contents
Properties
Methods
- __construct() : mixed
- createDataKey() : CreateDataKeyResponse
- Create a data key
- createDecrypt() : DecryptResponse
- Decrypt a data key
- createKv() : ObjectMetadata
- Create an object
- createRekey() : CreateDataKeyResponse
- Re-encrypt a data key
- decrypt() : string
- Decrypt data that was previously encrypted using the encrypt method.
- deleteKv() : void
- Delete an object
- encrypt() : string
- Encrypt data locally using AES-GCM with a data key derived from the context.
- getKv() : VaultObject
- Read an object by ID
- getName() : VaultObject
- Read an object by name
- listKv() : PaginatedResponse<string|int, ObjectSummary>
- List objects
- listKvMetadata() : ObjectWithoutValue
- Describe an object
- listKvVersions() : VersionListResponse
- List object versions
- updateKv() : ObjectWithoutValue
- Update an object
- aesGcmDecrypt() : string
- aesGcmEncrypt() : array{ciphertext: string, iv: string, tag: string}
- decodeEncryptedPayload() : array{iv: string, tag: string, keys: string, ciphertext: string}
- decodeU32Leb128() : array{0: int, 1: int}
- encodeU32Leb128() : string
Properties
$client read-only
private
HttpClient
$client
Methods
__construct()
public
__construct(HttpClient $client) : mixed
Parameters
- $client : HttpClient
createDataKey()
Create a data key
public
createDataKey(array<string, string> $context[, RequestOptions|null $options = null ]) : CreateDataKeyResponse
Generate an isolated encryption key for local encryption operations.
Parameters
- $context : array<string, string>
-
Map of values used to determine the encryption key.
- $options : RequestOptions|null = null
Tags
Return values
CreateDataKeyResponsecreateDecrypt()
Decrypt a data key
public
createDecrypt(string $keys[, RequestOptions|null $options = null ]) : DecryptResponse
Decrypt a previously encrypted data key from WorkOS Vault.
Parameters
- $keys : string
-
Base64-encoded encrypted data key to decrypt.
- $options : RequestOptions|null = null
Tags
Return values
DecryptResponsecreateKv()
Create an object
public
createKv(array<string, string> $keyContext, string $name, string $value[, RequestOptions|null $options = null ]) : ObjectMetadata
Encrypt and store a new key-value object.
Parameters
- $keyContext : array<string, string>
-
Map of values used to determine the encryption key.
- $name : string
-
Unique name for the object.
- $value : string
-
Plaintext data to encrypt and store.
- $options : RequestOptions|null = null
Tags
Return values
ObjectMetadatacreateRekey()
Re-encrypt a data key
public
createRekey(array<string, string> $context, string $encryptedKeys[, RequestOptions|null $options = null ]) : CreateDataKeyResponse
Decrypt an existing data key and re-encrypt it under a new key context.
Parameters
- $context : array<string, string>
-
Map of values used to determine the new encryption key.
- $encryptedKeys : string
-
Base64-encoded encrypted data key blob to re-encrypt.
- $options : RequestOptions|null = null
Tags
Return values
CreateDataKeyResponsedecrypt()
Decrypt data that was previously encrypted using the encrypt method.
public
decrypt(string $encryptedData[, string|null $associatedData = null ]) : string
Parameters
- $encryptedData : string
-
The base64-encoded encrypted payload.
- $associatedData : string|null = null
-
Additional authenticated data (AAD).
Return values
string —The decrypted plaintext.
deleteKv()
Delete an object
public
deleteKv(string $id[, string|null $versionCheck = null ][, RequestOptions|null $options = null ]) : void
Delete an encrypted object.
Parameters
- $id : string
-
Unique identifier of the object.
- $versionCheck : string|null = null
-
Expected current version for optimistic locking.
- $options : RequestOptions|null = null
Tags
encrypt()
Encrypt data locally using AES-GCM with a data key derived from the context.
public
encrypt(string $data, array<string, string> $context[, string|null $associatedData = null ]) : string
Parameters
- $data : string
-
The plaintext data to encrypt.
- $context : array<string, string>
-
The key context for data key derivation.
- $associatedData : string|null = null
-
Additional authenticated data (AAD).
Return values
string —The base64-encoded encrypted payload.
getKv()
Read an object by ID
public
getKv(string $id[, RequestOptions|null $options = null ]) : VaultObject
Fetch and decrypt an object by its unique identifier.
Parameters
- $id : string
-
Unique identifier of the object.
- $options : RequestOptions|null = null
Tags
Return values
VaultObjectgetName()
Read an object by name
public
getName(string $name[, RequestOptions|null $options = null ]) : VaultObject
Fetch and decrypt an object by its unique name.
Parameters
- $name : string
-
Unique name of the object.
- $options : RequestOptions|null = null
Tags
Return values
VaultObjectlistKv()
List objects
public
listKv([int|null $limit = null ][, string|null $before = null ][, string|null $after = null ][, VaultOrder|null $order = null ][, string|null $search = null ][, DateTimeImmutable|null $updatedAfter = null ][, RequestOptions|null $options = null ]) : PaginatedResponse<string|int, ObjectSummary>
List all encrypted objects with cursor-based pagination.
Parameters
- $limit : int|null = null
-
Upper limit on the number of objects to return. Defaults to 10.
- $before : string|null = null
-
Cursor for the previous page of results.
- $after : string|null = null
-
Cursor for the next page of results.
- $order : VaultOrder|null = null
-
Sort direction for results.
- $search : string|null = null
-
Filter results by name or structured search JSON.
- $updatedAfter : DateTimeImmutable|null = null
-
ISO 8601 timestamp to filter by last modified time.
- $options : RequestOptions|null = null
Tags
Return values
PaginatedResponse<string|int, ObjectSummary>listKvMetadata()
Describe an object
public
listKvMetadata(string $id[, RequestOptions|null $options = null ]) : ObjectWithoutValue
Fetch metadata for an object without decrypting it.
Parameters
- $id : string
-
Unique identifier of the object.
- $options : RequestOptions|null = null
Tags
Return values
ObjectWithoutValuelistKvVersions()
List object versions
public
listKvVersions(string $id[, RequestOptions|null $options = null ]) : VersionListResponse
Retrieve all versions for a specific object.
Parameters
- $id : string
-
Unique identifier of the object.
- $options : RequestOptions|null = null
Tags
Return values
VersionListResponseupdateKv()
Update an object
public
updateKv(string $id, string $value[, string|null $versionCheck = null ][, RequestOptions|null $options = null ]) : ObjectWithoutValue
Update the value of an existing encrypted object.
Parameters
- $id : string
-
Unique identifier of the object.
- $value : string
-
New plaintext value.
- $versionCheck : string|null = null
-
ID of the expected current version for optimistic locking.
- $options : RequestOptions|null = null
Tags
Return values
ObjectWithoutValueaesGcmDecrypt()
private
static aesGcmDecrypt(string $ciphertext, string $key, string $iv, string $tag, string|null $aad) : string
Parameters
- $ciphertext : string
- $key : string
- $iv : string
- $tag : string
- $aad : string|null
Return values
stringaesGcmEncrypt()
private
static aesGcmEncrypt(string $plaintext, string $key, string $iv, string|null $aad) : array{ciphertext: string, iv: string, tag: string}
Parameters
- $plaintext : string
- $key : string
- $iv : string
- $aad : string|null
Return values
array{ciphertext: string, iv: string, tag: string}decodeEncryptedPayload()
private
static decodeEncryptedPayload(string $encryptedDataB64) : array{iv: string, tag: string, keys: string, ciphertext: string}
Parameters
- $encryptedDataB64 : string
Return values
array{iv: string, tag: string, keys: string, ciphertext: string}decodeU32Leb128()
private
static decodeU32Leb128(string $buf) : array{0: int, 1: int}
Parameters
- $buf : string
Return values
array{0: int, 1: int}encodeU32Leb128()
private
static encodeU32Leb128(int $value) : string
Parameters
- $value : int