Download the PHP package craftpulse/craft-auth-kit without Composer

On this page you can find all versions of the php package craftpulse/craft-auth-kit. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package craft-auth-kit

Auth Kit

Foundational authentication primitives for Craft CMS 5 — passwordless tokens (magic links + email OTP), passkey wrappers, a recent-auth gate, and a password-validator contract. The shared base for the CraftPulse security ecosystem.

Auth Kit is primitives + contracts. It ships no routes, controllers, or UX — consuming plugins (Warden, Warp, a Password Policy adapter) own those and call into Auth Kit's services. It is a free, foundational plugin rather than a bare library because the token store needs a table and migrations: a single installed plugin owns the authkit_* schema once, so consumers never collide on it.

Requirements

Installation

Most of the time you won't install Auth Kit directly — it is pulled in as a Composer dependency of the plugin that uses it.

What it provides

Token core — AuthKit::$plugin->tokens

Issue and consume hashed, single-use, TTL'd passwordless credentials. The raw secret is never persisted (only its SHA-256 hash); consumption burns the token atomically; issuance is enumeration- and timing-safe.

Tunable as service properties (no settings model — set on the component, e.g. via config/app.php): tokenTtl (default 900s), otpDigits (6), otpMaxAttempts (5), perEmailLimit (5), perEmailWindow (300s), and magicLinkRoute — the site route your plugin registers for the verify URL (Auth Kit imposes no URLs).

[!IMPORTANT] issueMagicLink() / issueOtp() return whether a credential was actually sent, but any public-facing caller must respond identically whether or not the address exists — that is what keeps the endpoint enumeration-safe. Per-IP rate limiting belongs on your controller (core's RateLimiter); the per-address throttle here covers every channel including programmatic use.

Passkeys & recent-auth — AuthKit::$plugin->passkeys

Thin wrappers over core's WebAuthn machinery for front-end users, plus the recent-auth gate (the passwordless replacement for elevated sessions; stamped automatically on login).

Password validation contract — AuthKit::$plugin->passwords

The neutral cooperation seam for password strength and breach checks. Plugins cooperate through this contract and a registry — never by sniffing each other with isPluginInstalled().

A provider (e.g. Password Policy) registers a validator implementing craftpulse\authkit\passwords\PasswordValidatorInterface:

If no validator is registered, validate() is a graceful no-op (valid). The interface is deliberately tiny and stable — treat any change to it as a major version bump.

Front end

A craft.authKit Twig variable exposes hasPasskeys, passkeys, and webauthnJsUrl for templates, and Auth Kit publishes a shared authkit-webauthn.js browser client. Default auth_kit_magic_link and auth_kit_otp system messages ship out of the box; consumers override them.

Events

Service Event Fired
tokens EVENT_AFTER_ISSUE_TOKEN after a token is issued
tokens EVENT_BEFORE_CONSUME_TOKEN before consume (cancelable — refuses login, leaves the token unburned)
tokens EVENT_AFTER_CONSUME_TOKEN after consume, user resolved
passwords EVENT_REGISTER_PASSWORD_VALIDATORS to register password validators

Consumers

Plugin Uses Auth Kit for
Warden Lite passwordless: magic links, passkeys, recent-auth
Warp (planned) the whole passwordless product surface
Password Policy (planned adapter) provides a PasswordValidatorInterface adapter

License

MIT — © CraftPulse


All versions of craft-auth-kit with dependencies

PHP Build Version
Package Version
Requires php Version ^8.2
craftcms/cms Version ^5.3
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package craftpulse/craft-auth-kit contains the following files

Loading the files please wait ...