WorkOS PHP SDK

Vault
in package

Application

Constants

DEFAULT_RESPONSE_LIMIT = 10

Properties

$client : HttpClient

Methods

__construct() : mixed
createDataKey() : array<string|int, mixed>: Generate a data key for local encryption.
createObject() : array<string|int, mixed>: Create a new Vault encrypted object.
decrypt() : string: Decrypt data that was previously encrypted using the encrypt method.
decryptDataKey() : array<string|int, mixed>: Decrypt encrypted data keys previously generated by createDataKey.
deleteObject() : void: Permanently delete a Vault encrypted object.
encrypt() : string: Encrypt data locally using AES-GCM with a data key derived from the context.
getObjectMetadata() : array<string|int, mixed>: Get a Vault object's metadata without decrypting the value.
listObjects() : array<string|int, mixed>: Gets a list of encrypted Vault objects.
listObjectVersions() : array<string|int, mixed>: Gets a list of versions for a specific Vault object.
readObject() : array<string|int, mixed>: Get a Vault object with the value decrypted.
readObjectByName() : array<string|int, mixed>: Get a Vault object by name with the value decrypted.
updateObject() : array<string|int, mixed>: Update an existing Vault object.
aesGcmDecrypt() : string: AES-256-GCM decrypt.
aesGcmEncrypt() : array{ciphertext: string, iv: string, tag: string}: AES-256-GCM encrypt.
decodeEncryptedPayload() : array{iv: string, tag: string, keys: string, ciphertext: string}: Extract IV, tag, keyBlob, and ciphertext from a base64 payload.
decodeU32Leb128() : array{0: int, 1: int}: Decode an unsigned LEB128-encoded 32-bit integer.
encodeU32Leb128() : string: Encode a 32-bit unsigned integer as LEB128.

DEFAULT_RESPONSE_LIMIT


    private
        mixed
    DEFAULT_RESPONSE_LIMIT
    = 10

$client read-only


        private
            HttpClient
    $client

__construct()


    public
                    __construct(HttpClient $client) : mixed

Parameters

$client : HttpClient

createDataKey()

Generate a data key for local encryption.


    public
                    createDataKey(array<string|int, mixed> $keyContext) : array<string|int, mixed>

Parameters

$keyContext : array<string|int, mixed>

Return values

array<string|int, mixed>

createObject()

Create a new Vault encrypted object.


    public
                    createObject(string $name, string $value, array<string|int, mixed> $keyContext) : array<string|int, mixed>

Parameters

$name : string
$value : string
$keyContext : array<string|int, mixed>

Return values

array<string|int, mixed>

decrypt()

Decrypt data that was previously encrypted using the encrypt method.


    public
                    decrypt(string $encryptedData[, string|null $associatedData = null ]) : string

Parameters

$encryptedData : string: The base64-encoded encrypted payload.
$associatedData : string|null = null: Additional authenticated data (AAD). (Optional)

Return values

string —

The decrypted plaintext.

decryptDataKey()

Decrypt encrypted data keys previously generated by createDataKey.


    public
                    decryptDataKey(string $keys) : array<string|int, mixed>

Parameters

$keys : string

Return values

array<string|int, mixed>

deleteObject()

Permanently delete a Vault encrypted object.


    public
                    deleteObject(string $objectId) : void

Parameters

$objectId : string

encrypt()

Encrypt data locally using AES-GCM with a data key derived from the context.


    public
                    encrypt(string $data, array<string|int, mixed> $keyContext[, string|null $associatedData = null ]) : string

Parameters

$data : string: The plaintext data to encrypt.
$keyContext : array<string|int, mixed>: The key context for data key derivation.
$associatedData : string|null = null: Additional authenticated data (AAD). (Optional)

Return values

string —

The base64-encoded encrypted payload.

getObjectMetadata()

Get a Vault object's metadata without decrypting the value.


    public
                    getObjectMetadata(string $objectId) : array<string|int, mixed>

Parameters

$objectId : string

Return values

array<string|int, mixed>

listObjects()

Gets a list of encrypted Vault objects.


    public
                    listObjects([int $limit = self::DEFAULT_RESPONSE_LIMIT ][, string|null $before = null ][, string|null $after = null ]) : array<string|int, mixed>

Parameters

$limit : int = self::DEFAULT_RESPONSE_LIMIT
$before : string|null = null
$after : string|null = null

Return values

array<string|int, mixed>

listObjectVersions()

Gets a list of versions for a specific Vault object.


    public
                    listObjectVersions(string $objectId) : array<string|int, mixed>

Parameters

$objectId : string

Return values

array<string|int, mixed>

readObject()

Get a Vault object with the value decrypted.


    public
                    readObject(string $objectId) : array<string|int, mixed>

Parameters

$objectId : string

Return values

array<string|int, mixed>

readObjectByName()

Get a Vault object by name with the value decrypted.


    public
                    readObjectByName(string $name) : array<string|int, mixed>

Parameters

$name : string

Return values

array<string|int, mixed>

updateObject()

Update an existing Vault object.


    public
                    updateObject(string $objectId, string $value[, string|null $versionCheck = null ]) : array<string|int, mixed>

Parameters

$objectId : string
$value : string
$versionCheck : string|null = null

Return values

array<string|int, mixed>

aesGcmDecrypt()

AES-256-GCM decrypt.


    private
            static        aesGcmDecrypt(string $ciphertext, string $key, string $iv, string $tag, string|null $aad) : string

Parameters

$ciphertext : string
$key : string
$iv : string
$tag : string
$aad : string|null

Return values

string

aesGcmEncrypt()

AES-256-GCM encrypt.


    private
            static        aesGcmEncrypt(string $plaintext, string $key, string $iv, string|null $aad) : array{ciphertext: string, iv: string, tag: string}

Parameters

$plaintext : string
$key : string
$iv : string
$aad : string|null

Return values

array{ciphertext: string, iv: string, tag: string}

decodeEncryptedPayload()

Extract IV, tag, keyBlob, and ciphertext from a base64 payload.


    private
            static        decodeEncryptedPayload(string $encryptedDataB64) : array{iv: string, tag: string, keys: string, ciphertext: string}

Format: [IV:12b][TAG:16b][LEB128 Length][keyBlob][ciphertext]

Parameters

$encryptedDataB64 : string

Return values

array{iv: string, tag: string, keys: string, ciphertext: string}

decodeU32Leb128()

Decode an unsigned LEB128-encoded 32-bit integer.


    private
            static        decodeU32Leb128(string $buf) : array{0: int, 1: int}

Parameters

$buf : string

Return values

array{0: int, 1: int} —

[value, bytesConsumed]

encodeU32Leb128()

Encode a 32-bit unsigned integer as LEB128.


    private
            static        encodeU32Leb128(int $value) : string

Parameters

$value : int

Return values

string

Vault in package Application

Table of Contents

Constants

Properties

Methods

Constants

DEFAULT_RESPONSE_LIMIT

Properties

$client read-only

Methods

__construct()

Parameters

createDataKey()

Parameters

Return values

createObject()

Parameters

Return values

decrypt()

Parameters

Return values

decryptDataKey()

Parameters

Return values

deleteObject()

Parameters

encrypt()

Parameters

Return values

getObjectMetadata()

Parameters

Return values

listObjects()

Parameters

Return values

listObjectVersions()

Parameters

Return values

readObject()

Parameters

Return values

readObjectByName()

Parameters

Return values

updateObject()

Parameters

Return values

aesGcmDecrypt()

Parameters

Return values

aesGcmEncrypt()

Parameters

Return values

decodeEncryptedPayload()

Parameters

Return values

decodeU32Leb128()

Parameters

Return values

encodeU32Leb128()

Parameters

Return values

Vault
in package

Application