Very simple OAuth 2.0 server


This is a very simple OAuth 2.0 server for integration in your own application. It has minimal dependencies, but still tries to be secure. The main purpose is to be compatible with PHP 5.4.

NOTE: if you are not bound to PHP 5.4, use the OAuth 2.0 server of the League of Extraordinary Packages! It can be found here.

Client Support

All (optional) OAuth authorization and token request parameters MUST always be sent.



This library uses libsodium, either the PECL module, php-libsodium or the native Sodium module in PHP >= 7.2, php-sodium. You MUST have one of them installed in order to use this library, even though composer.json mentions both of them as suggest.


See the example/ directory.

You can start the OAuth server on your (development) machine using PHP's built in web server:

    $ php -S localhost:8080 -t example/

If you have an OAuth client you can point it to http://localhost:8080/authorize.php.

You can use php-oauth2-client as a client to interact with this server, the example there is configured to work with this server.

Generating a Keypair

The OAuth server uses public key cryptography to sign the access tokens it generates. In order to generate this keypair, you can use the commands shown below. This is also a good test to see if (lib)sodium works properly in your PHP.

On older PHP versions with PECL libsodium version 1.x:

    $ php -r "file_put_contents('server.key', \Sodium\crypto_sign_keypair());"
    $ php -r "file_put_contents('server_public.key', \Sodium\crypto_sign_publickey(file_get_contents('server.key')));"

On PHP >= 7.2 or PECL libsodium version 2.x:

    $ php -r "file_put_contents('server.key', sodium_crypto_sign_keypair());"
    $ php -r "file_put_contents('server_public.key', sodium_crypto_sign_publickey(file_get_contents('server.key')));"

The data in server.key file can then be used as input to the SodiumSigner class, see the example. The server_public.key file will contain only the public component of the keypair.

Accepting Additional Public Keys

The BearerValidator class can be configured to accept additional public keys in addition to the "local" one that is also used for signing authorization codes, refresh tokens and access tokens.

This can be configured by specifying a second parameter to the SodiumSigner constructor, using a mapping between key identifiers (key ID) and the (binary) public key. For example:

    $sodiumSigner = new SodiumSigner(
        file_get_contents('server_1.key'),  // local key
            'server_2' => file_get_contents('server_2_public.key'), // remote key
            'server_3' => file_get_contents('server_3_public.key'), // remote key

The TokenInfo::getKeyId method can be used to verify which public key was used to verify the Bearer token. If the local key was used, this call will return local, otherwise the Key ID as configured. Here that would be either server_2 or server_3.


You can contact me with any questions or issues regarding this project. Drop me a line at

If you want to (responsibly) disclose a security issue you can also use the PGP key with key ID 9C5EDD645A571EB2 and fingerprint 6237 BAF1 418A 907D AA98 EAA7 9C5E DD64 5A57 1EB2.