clerk/backend-php

Changelog · Ask a Question

---

Overview

Clerk is the easiest way to add authentication and user management to your application. To gain a better understanding of the Clerk Backend API, refer to the Backend API documentation.

Summary

Clerk Backend API: The Clerk REST Backend API, meant to be accessed by backend servers.

Versions

When the API changes in a way that isn't compatible with older versions, a new version is released. Each version is identified by its release date, e.g. 2021-02-05. For more information, please see Clerk API Versions.

Please see https://clerk.com/docs for more information.

More information about the API can be found at https://clerk.com/docs

Table of Contents

• clerk/backend-php
  • Overview
  • SDK Installation
  • Usage
  • SDK Example Usage
  • Request Authentication
  • Authentication
  • Available Resources and Operations
  • Error Handling
  • Server Selection
• Development
  • Maturity
  • Support
  • Contributing
  • Security
  • License

SDK Installation

The SDK relies on Composer to manage its dependencies.

To install the SDK and add it as a dependency to an existing composer.json file:

composer require "clerk/backend-php"

Usage

Retrieve your Backend API key from the API Keys screen in your Clerk dashboard and set it as an environment variable in a .env file:

CLERK_PUBLISHABLE_KEY=pk_*******
CLERK_SECRET_KEY=sk_******

SDK Example Usage

Example

declare(strict_types=1);

require 'vendor/autoload.php';

use Clerk\Backend;

$sdk = Backend\ClerkBackend::builder()
    ->setSecurity(
        '<YOUR_BEARER_TOKEN_HERE>'
    )
    ->build();



$response = $sdk->emailAddresses->get(
    emailAddressId: '<id>'
);

if ($response->emailAddress !== null) {
    // handle response
}

Request Authentication

Use the authenticateRequest method to authenticate a request from your app's frontend (when using a Clerk frontend SDK) to Clerk's Backend API. For example the following utility function checks if the user is effectively signed in:

use GuzzleHttp\Psr7\Request;
use Clerk\Backend\Helpers\Jwks\AuthenticateRequestOptions;
use Clerk\Backend\Helpers\Jwks\AuthenticateRequest;
use Clerk\Backend\Helpers\Jwks\RequestState;

class UserAuthentication
{
    public static function isSignedIn(Request $request): bool
    {
        $options = new AuthenticateRequestOptions(
            secretKey: getenv("CLERK_SECRET_KEY"),
            authorizedParties: ["https://example.com"]
        );

        $requestState = AuthenticateRequest::authenticateRequest($request, $options);

        return $requestState.isSignedIn();
    }
}

If the request is correctly authenticated, the token's payload is made available in $requestState->payload. Otherwise the reason for the token verification failure is given by requestState->errorReason.

Authentication

Per-Client Security Schemes

This SDK supports the following security scheme globally:

Name	Type	Scheme
bearerAuth	http	HTTP Bearer

To authenticate with the API the bearerAuth parameter must be set when initializing the SDK. For example:

declare(strict_types=1);

require 'vendor/autoload.php';

use Clerk\Backend;

$sdk = Backend\ClerkBackend::builder()
    ->setSecurity(
        '<YOUR_BEARER_TOKEN_HERE>'
    )
    ->build();



$response = $sdk->miscellaneous->getInterstitial(
    frontendApi: '<value>',
    publishableKey: '<value>'

);

if ($response->statusCode === 200) {
    // handle response
}

Available Resources and Operations

Available methods

actorTokens

• create - Create actor token
• revoke - Revoke actor token

allowlistBlocklist

• createAllowlistIdentifier - Add identifier to the allow-list
• createBlocklistIdentifier - Add identifier to the block-list
• deleteBlocklistIdentifier - Delete identifier from block-list
• listAllowlistIdentifiers - List all identifiers on the allow-list

allowlistIdentifiers

• delete - Delete identifier from allow-list

betaFeatures

• changeProductionInstanceDomain - Update production instance domain
• updateInstanceSettings - Update instance settings
• updateDomain - Update production instance domain ⚠️ Deprecated

blocklistIdentifiers

• list - List all identifiers on the block-list

clients

• get - Get a client
• list - List all clients ⚠️ Deprecated
• verify - Verify a client

domains

• add - Add a domain
• delete - Delete a satellite domain
• list - List all instance domains
• update - Update a domain

emailAddresses

• create - Create an email address
• delete - Delete an email address
• get - Retrieve an email address
• update - Update an email address

emailAndSmsTemplates

• upsert - Update a template for a given type and slug ⚠️ Deprecated

emailSMSTemplates

• get - Retrieve a template ⚠️ Deprecated
• list - List all templates ⚠️ Deprecated
• revert - Revert a template ⚠️ Deprecated
• toggleTemplateDelivery - Toggle the delivery by Clerk for a template of a given type and slug ⚠️ Deprecated

instanceSettings

• update - Update instance settings
• updateOrganizationSettings - Update instance organization settings
• updateRestrictions - Update instance restrictions

invitations

• create - Create an invitation
• list - List all invitations
• revoke - Revokes an invitation

jwks

• get - Retrieve the JSON Web Key Set of the instance

jwtTemplates

• create - Create a JWT template
• delete - Delete a Template
• get - Retrieve a template
• list - List all templates
• update - Update a JWT template

miscellaneous

• getInterstitial - Returns the markup for the interstitial page

oauthApplications

• create - Create an OAuth application
• delete - Delete an OAuth application
• get - Retrieve an OAuth application by ID
• list - Get a list of OAuth applications for an instance
• rotateSecret - Rotate the client secret of the given OAuth application
• update - Update an OAuth application

organizationDomain

• update - Update an organization domain.

organizationDomains

• create - Create a new organization domain.
• delete - Remove a domain from an organization.
• list - Get a list of all domains of an organization.

organizationInvitations

• create - Create and send an organization invitation
• bulkCreate - Bulk create and send organization invitations
• get - Retrieve an organization invitation by ID
• getAll - Get a list of organization invitations for the current instance
• list - Get a list of organization invitations
• listPending - Get a list of pending organization invitations ⚠️ Deprecated
• revoke - Revoke a pending organization invitation

organizationMemberships

• create - Create a new organization membership
• delete - Remove a member from an organization
• getAll - Get a list of all organization memberships within an instance.
• list - Get a list of all members of an organization
• update - Update an organization membership
• updateMetadata - Merge and update organization membership metadata

organizations

• create - Create an organization
• delete - Delete an organization
• deleteLogo - Delete the organization's logo.
• get - Retrieve an organization by ID or slug
• list - Get a list of organizations for an instance
• mergeMetadata - Merge and update metadata for an organization
• update - Update an organization
• uploadLogo - Upload a logo for the organization

phoneNumbers

• create - Create a phone number
• delete - Delete a phone number
• get - Retrieve a phone number
• update - Update a phone number

proxyChecks

• verify - Verify the proxy configuration for your domain

redirectUrls

• create - Create a redirect URL
• delete - Delete a redirect URL
• get - Retrieve a redirect URL

redirectURLs

• list - List all redirect URLs

samlConnections

• create - Create a SAML Connection
• delete - Delete a SAML Connection
• get - Retrieve a SAML Connection by ID
• list - Get a list of SAML Connections for an instance
• update - Update a SAML Connection

sessions

• createTokenFromTemplate - Create a session token from a jwt template
• get - Retrieve a session
• list - List all sessions
• revoke - Revoke a session
• verify - Verify a session ⚠️ Deprecated

signInTokens

• create - Create sign-in token
• revoke - Revoke the given sign-in token

signUps

• update - Update a sign-up

templates

• preview - Preview changes to a template ⚠️ Deprecated

testingTokens

• create - Retrieve a new testing token

users

• ban - Ban a user
• create - Create a new user
• createTOTP - Create a TOTP for a user
• deleteBackupCodes - Disable all user's Backup codes
• deleteExternalAccount - Delete External Account
• deleteTotp - Delete all the user's TOTPs
• delete - Delete a user
• deleteProfileImage - Delete user profile image
• disableMFA - Disable a user's MFA methods
• getOAuthAccessToken - Retrieve the OAuth access token of a user
• get - Retrieve a user
• list - List all users
• count - Count users
• lock - Lock a user
• setProfileImage - Set user profile image
• unban - Unban a user
• unlock - Unlock a user
• update - Update a user
• updateMetadata - Merge and update a user's metadata
• deletePasskey - Delete a user passkey
• deleteWeb3Wallet - Delete a user web3 wallet
• getOrganizationInvitations - Retrieve all invitations for a user
• getOrganizationMemberships - Retrieve all memberships for a user
• verifyPassword - Verify the password of a user
• verifyTOTP - Verify a TOTP or backup code for a user

webhooks

• createSvixApp - Create a Svix app
• deleteSvixApp - Delete a Svix app
• generateSvixAuthURL - Create a Svix Dashboard URL

Error Handling

Handling errors in this SDK should largely match your expectations. All operations return a response object or throw an exception.

By default an API error will raise a Errors\SDKException exception, which has the following properties:

Property	Type	Description
$message	string	The error message
$statusCode	int	The HTTP status code
$rawResponse	?\Psr\Http\Message\ResponseInterface	The raw HTTP response
$body	string	The response content

When custom error responses are specified for an operation, the SDK may also throw their associated exception. You can refer to respective Errors tables in SDK docs for more details on possible exception types for each operation. For example, the get method throws the following exceptions:

Error Type	Status Code	Content Type
Errors\ClerkErrors	400, 401, 404	application/json
Errors\SDKException	4XX, 5XX	*/*

Example

declare(strict_types=1);

require 'vendor/autoload.php';

use Clerk\Backend;

$sdk = Backend\ClerkBackend::builder()
    ->setSecurity(
        '<YOUR_BEARER_TOKEN_HERE>'
    )
    ->build();

try {
    $response = $sdk->clients->get(
        clientId: '<id>'
    );

    if ($response->client !== null) {
        // handle response
    }
} catch (Errors\ClerkErrorsThrowable $e) {
    // handle $e->$container data
    throw $e;
} catch (Errors\SDKException $e) {
    // handle default exception
    throw $e;
}

Server Selection

Override Server URL Per-Client

The default server can also be overridden globally using the setServerUrl(string $serverUrl) builder method when initializing the SDK client instance. For example:

declare(strict_types=1);

require 'vendor/autoload.php';

use Clerk\Backend;

$sdk = Backend\ClerkBackend::builder()
    ->setServerURL('https://api.clerk.com/v1')
    ->build();



$response = $sdk->miscellaneous->getInterstitial(
    frontendApi: '<value>',
    publishableKey: '<value>'

);

if ($response->statusCode === 200) {
    // handle response
}

Development

Maturity

This SDK is in beta, and there may be breaking changes between versions without a major version update. Therefore, we recommend pinning usage to a specific package version. This way, you can install the same version each time without breaking changes unless you are intentionally looking for the latest version.

Support

You can get in touch with us in any of the following ways:

• Join the official community Clerk Discord server
• Create a GitHub Discussion
• Contact options listed on Clerk Support page

Contributing

We're open to all community contributions!

Security

@clerk/backend-php follows good practices of security, but 100% security cannot be assured.

@clerk/backend-php is provided "as is" without any warranty. Use at your own risk.

For more information and to report security issues, please refer to the security documentation.

License

This project is licensed under the MIT license.

See LICENSE for more information.