PHP Quickstart

This guide will help you integrate Descope's PHP SDK into your backend application. The same SDK is also used with Laravel. Follow the steps below to get started.

Install Backend SDK

Install the SDK with Composer using the following command:

Terminal
composer require descope/descope-php

Set up Environment file

Create a .env file in the root directory of your project with your Descope Project ID, which can be found in the Console

If you plan to use Management functions, include a Descope Management Key here as well, which can be found here.

DESCOPE_PROJECT_ID=<Descope Project ID>
DESCOPE_MANAGEMENT_KEY=<Descope Management Key>

Setup Backend SDK

You'll need to initialize a DescopeSDK object using your Project ID.

If you're using a custom domain with your Descope project, make sure to export the Base URL (e.g. export DESCOPE_BASE_URI="https://api.descope.com") when initializing descope_client.

require 'vendor/autoload.php';
use Descope\SDK\DescopeSDK;
 
$descopeSDK = new DescopeSDK([
    'projectId' => $_ENV['DESCOPE_PROJECT_ID'],
    'managementKey' => $_ENV['DESCOPE_MANAGEMENT_KEY'] // Optional, only used for Management functions
]);

Implement Session Validation

You will need to then fetch the session token from the Authorization header of each request, and use the SDK to validate the token.

The frontend SDK will store the session token in either a cookie or your browser's local storage. If using a cookie, the token will be sent to your app server automatically with every request.

The $descopeSDK->verify($sessionToken) function can be used to verify a user's session as shown below. This returns a TRUE or FALSE depending on if the JWT is valid or not.

if (isset($_POST["sessionToken"])) {
        if ($descopeSDK->verify($_POST["sessionToken"])) {
            $_SESSION["user"] = json_decode($_POST["userDetails"], true);
            $_SESSION["sessionToken"] = $_POST["sessionToken"];
            session_write_close();
    
            // User session validated and token saved
        } else {
            error_log("Session token verification failed.");
            $descopeSDK->logout();
 
            // Redirect to login page
        }
    } else {
        error_log("Session token is not set in POST request.");
 
        // Redirect to login page
    }

By default, the SDK uses APCu for caching, provided it is enabled and configured in your environment. If APCu is not available, and no other caching mechanism is provided, caching is disabled. Read about custom caching for the Descope SDK here.

Once you've implemented the basic session validation, you can enhance your application with these additional features:

Additional Resources

Have You Implemented the Frontend Yet?

When integrating Descope into your application, you have three options depending on how much control you want over your frontend authentication experience and session management:

OptionDescriptionBest For
Use Descope FlowsDesign your authentication screens and flows visually in the Descope Console with little or no frontend code. We handle all session management for you.Fastest setup with minimal custom frontend work.
Use Descope Client SDKsBuild your own login screens and authentication experiences in your frontend using code, while relying on Descope's SDKs to manage sessions (login, logout, refresh).Customizable UX with simplified session handling.
Use Descope Backend SDKsBuild your own frontend and your own backend APIs for authentication. You fully manage sessions, tokens, and authentication logic yourself.Maximum flexibility and control, at the cost of more engineering effort.
Was this helpful?

On this page