This repository has been archived on 2023-08-20 . You can view files and clone it, but cannot push or open issues or pull requests.
A PSR-7-compatible implementation of the request-handling logic for IndieAuth authorization endpoints and token endpoints.
taproot/indieauth is currently tested against and compatible with PHP 7.3, 7.4, and 8.0.
Install taproot/indieauth using composer:
composer.phar require taproot/indieauth
composer.phar install (or composer.phar update)
Versioned releases are GPG signed so you can verify that the code hasn’t been tampered with.
gpg --recv-keys 1C00430B19C6B426922FE534BEF8CE58118AD524
cd vendor/taproot/indieauth
git tag -v v0.1.0 # Replace with the version you have installed
Typical minimal usage looks something like this:
// Somewhere in your app set-up code:
$server = new Taproot\IndieAuth\Server([
// A secret key, >= 64 characters long.
// A path to store token data, or an object implementing TokenStorageInterface.
'tokenStorage' => '/../data/auth_tokens/',
// An authentication callback function, which either returns data about the current user,
// or redirects to/implements an authentication flow.
'authenticationHandler' => function (ServerRequestInterface $request, string $authenticationRedirect, ?string $normalizedMeUrl) {
// If the request is authenticated, return an array with a `me` key containing the
// canonical URL of the currently logged-in user.
if ($userUrl = getLoggedInUserUrl($request)) {
return ['me' => $userUrl];
// Otherwise, redirect the user to a login page, ensuring that they will be redirected
// back to the IndieAuth flow with query parameters intact once logged in.
return new Response('302', ['Location' => '' . urlencode($authenticationRedirect)]);
// In your authorization endpoint route:
return $server->handleAuthorizationEndpointRequest($request);
// In your token endpoint route:
return $server->handleTokenEndpointRequest($request);
// In another route (e.g. a micropub route), to authenticate the request:
// (assuming $bearerToken is a token parsed from an “Authorization: Bearer XXXXXX” header
// or access_token property from a request body)
if ($accessToken = $server->getTokenStorage()->getAccessToken($bearerToken)) {
// Request is authenticated as $accessToken['me'], and is allowed to
// act according to the scopes listed in $accessToken['scope'].
$scopes = explode(' ', $accessToken['scope']);
Refer to the __construct
documentation for further configuration options, and to the
documentation for both handling methods for further documentation about them, specifically:
- Taproot\IndieAuth\Server::__construct() for detailed information about how to configure your
instance. - Taproot\IndieAuth\Server::handleAuthorizationEndpointRequest() for an overview of exactly what happens during an authorization request (which is the bulk of what this library is for)
- Taproot\IndieAuth\Callback\DefaultAuthorizationForm (and its associated template) for details about customising the default consent screen form.
- Taproot\IndieAuth\Callback\SingleUserPasswordAuthenticationCallback for an example of how to implement an authentication callback, and it’s corresponding template for information on customising the template.
- Taproot\IndieAuth\Storage\TokenStorageInterface for details about implementing your own token storage
- Taproot\IndieAuth\Callback\AuthorizationFormInterface for infomation about implementing your own authorization form.
Example Application
See the taproot/micropub example app for a working example of how to use taproot/indieauth.
- v0.1.0 coming soon!