Simple and secure OAuth 2.0 server
remove RandomInterface
remove unused exceptions
prepare for release



You can also use your local clone with git send-email.

Summary: Simple and secure OAuth 2.0 server

Description: Opinionated, simple, easy to use OAuth 2.0 server for integrating OAuth 2.0 in your server applications using the latest (security) recommendations.

License: MIT

builds.sr.ht status


The project provides an opinionated OAuth 2.0 server library for integration in your own application. It has minimal dependencies, but still tries to be secure. The main purpose is to be as simple as possible whilst being secure.

This library supports all versions of PHP >= 7.4.

#Client Support

All (optional) OAuth authorization and token request parameters MUST always be sent. PKCE is required for all client types.


  • Supports PHP >= 7.4;
  • Only supports Authorization Code Grant;
  • Easy integration with your own application and/or framework;
  • Does not force a framework on you;
  • There are no toggles to shoot yourself in the foot with;
  • Requires PKCE for all client types;
  • Supports single-use only refresh tokens;
  • Does NOT implement RFC 6749 (# error responses (except for access_denied);
  • OAuth 2.1 draft support


Uses only core PHP extensions, no other dependencies.


Currently php-oauth2-server is not hosted on Packagist. It may be added in the future. In your composer.json:

    "repositories": [
            "type": "vcs",
            "url": "https://git.sr.ht/~fkooman/php-oauth2-server"
    "require": {
        "fkooman/oauth2-server": "^7"

You can also download the signed source code archive from the project page under "release notes".


A simple, but complete example is included in the example/ directory. The authorize.php script is the "authorize endpoint", the token.php script is the "token endpoint" and the api.php script is the "protected resource" endpoint.

The example embeds a key. You MUST NOT use this key for your own applications. An example script is included to generate your own key:

$ php example/generate_key.php

You can start the demo OAuth server on your (development) machine using PHP's built in web server:

$ php -S localhost:8080 -t example/

If you have an OAuth client you can point it to http://localhost:8080/authorize.php.

You can use php-oauth2-client as a client to interact with this server, the example there is configured to work with this server out of the box.


You can contact me with any questions or issues regarding this project. Drop me a line at fkooman@tuxed.net.

If you want to (responsibly) disclose a security issue you can also use the PGP key with key ID 9C5EDD645A571EB2 and fingerprint 6237 BAF1 418A 907D AA98 EAA7 9C5E DD64 5A57 1EB2.