WorkOS PHP SDK

SessionManager
in package

Table of Contents

Properties

$client  : HttpClient

Methods

__construct()  : mixed
authenticate()  : array<string|int, mixed>
Authenticate a sealed session cookie by unsealing and validating the JWT.
fetchJwks()  : array<string|int, mixed>
Fetch the JWKS keys for the given client ID.
getJwksUrl()  : string
Build the JWKS URL for the given client ID.
getLogoutUrl()  : string
Get the logout URL for a session.
refresh()  : array<string|int, mixed>
Refresh a sealed session by exchanging the refresh token.
sealData()  : string
Encrypt a data array into a sealed string using symmetric encryption.
sealSessionFromAuthResponse()  : string
Seal session data from an authentication response into a cookie-safe string.
unsealData()  : array<string|int, mixed>
Decrypt a sealed string back to a data array.
decodeAccessToken()  : array<string|int, mixed>
Decode and validate an access token JWT.

Properties

Methods

authenticate()

Authenticate a sealed session cookie by unsealing and validating the JWT.

public authenticate(string $sessionData, string $cookiePassword, string $clientId[, string $baseUrl = 'https://api.workos.com/' ]) : array<string|int, mixed>

Returns an associative array with 'authenticated' => true and session claims on success, or 'authenticated' => false and a 'reason' on failure.

Parameters
$sessionData : string

The sealed session cookie value.

$cookiePassword : string

The encryption key.

$clientId : string

The WorkOS client ID (for JWKS URL).

$baseUrl : string = 'https://api.workos.com/'

The WorkOS API base URL. Defaults to 'https://api.workos.com/'.

Return values
array<string|int, mixed>

Authentication result.

fetchJwks()

Fetch the JWKS keys for the given client ID.

public fetchJwks(string $clientId) : array<string|int, mixed>
Parameters
$clientId : string

The WorkOS client ID.

Return values
array<string|int, mixed>

The JWKS response.

getJwksUrl()

Build the JWKS URL for the given client ID.

public static getJwksUrl(string $clientId[, string $baseUrl = 'https://api.workos.com/' ]) : string
Parameters
$clientId : string

The WorkOS client ID.

$baseUrl : string = 'https://api.workos.com/'

The WorkOS API base URL.

Return values
string

The JWKS URL.

getLogoutUrl()

Get the logout URL for a session.

public getLogoutUrl(string $sessionData, string $cookiePassword, string $clientId[, string|null $returnTo = null ][, string $baseUrl = 'https://api.workos.com/' ]) : string
Parameters
$sessionData : string

The sealed session cookie value.

$cookiePassword : string

The encryption key.

$clientId : string

The WorkOS client ID.

$returnTo : string|null = null

Optional URL to redirect to after logout.

$baseUrl : string = 'https://api.workos.com/'

The WorkOS API base URL.

Tags
throws
InvalidArgumentException

If the session cannot be authenticated.

Return values
string

The logout URL.

refresh()

Refresh a sealed session by exchanging the refresh token.

public refresh(string $sessionData, string $cookiePassword, string $clientId[, string|null $organizationId = null ]) : array<string|int, mixed>
Parameters
$sessionData : string

The sealed session cookie value.

$cookiePassword : string

The encryption key.

$clientId : string

The WorkOS client ID.

$organizationId : string|null = null

Optional organization to scope the refresh to.

Return values
array<string|int, mixed>

Refresh result with 'authenticated', 'sealed_session', and claims.

sealData()

Encrypt a data array into a sealed string using symmetric encryption.

public static sealData(array<string|int, mixed> $data, string $key) : string
Parameters
$data : array<string|int, mixed>

The data to seal.

$key : string

The base64-encoded encryption key (must be 32 bytes decoded).

Return values
string

The sealed (encrypted) string.

sealSessionFromAuthResponse()

Seal session data from an authentication response into a cookie-safe string.

public static sealSessionFromAuthResponse(string $accessToken, string $refreshToken, string $cookiePassword[, array<string|int, mixed>|null $user = null ][, array<string|int, mixed>|null $impersonator = null ]) : string
Parameters
$accessToken : string

The access token from the auth response.

$refreshToken : string

The refresh token from the auth response.

$cookiePassword : string

The encryption key (base64-encoded, 32 bytes decoded).

$user : array<string|int, mixed>|null = null

The user data from the auth response. (Optional)

$impersonator : array<string|int, mixed>|null = null

The impersonator data, if present. (Optional)

Return values
string

A sealed session string suitable for storing in a cookie.

unsealData()

Decrypt a sealed string back to a data array.

public static unsealData(string $sealedData, string $key) : array<string|int, mixed>
Parameters
$sealedData : string

The sealed (encrypted) string.

$key : string

The base64-encoded encryption key.

Tags
throws
InvalidArgumentException

If decryption fails.

Return values
array<string|int, mixed>

The decrypted data.

decodeAccessToken()

Decode and validate an access token JWT.

private static decodeAccessToken(string $accessToken, string $clientId, string $baseUrl) : array<string|int, mixed>

This is a basic JWT decode. For production use, fetch JWKS and validate the signature properly. This helper decodes without signature verification for extracting claims when the token has already been validated upstream.

Parameters
$accessToken : string

The JWT access token.

$clientId : string

The WorkOS client ID (unused in basic decode).

$baseUrl : string

The WorkOS API base URL (unused in basic decode).

Tags
throws
InvalidArgumentException

If the token cannot be decoded.

Return values
array<string|int, mixed>

The decoded JWT claims.


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results