README

Official PHP SDK for Coffrify, encrypted file transfer infrastructure.

PSR-4, no Composer-shipped HTTP layer (uses native ext-curl). PHP 8.1+.

Install

composer require coffrify/coffrify-php

Quickstart

<?php
require 'vendor/autoload.php';

$coffrify = new Coffrify\Client(getenv('COFFRIFY_API_KEY'));

$r = $coffrify->transfers->create(
  [['name' => 'rapport.pdf', 'size' => 1240000, 'mime_type' => 'application/pdf']],
  ['expires_in_hours' => 72, 'max_downloads' => 10, 'password' => 's3cret!']
);
echo $r['share_url'] . PHP_EOL;

// Webhooks
$hook = $coffrify->webhooks->create([
  'name'   => 'Production hook',
  'url'    => 'https://app.example.com/hooks/coffrify',
  'events' => ['transfer.created', 'transfer.scan_infected', 'workspace.payment_failed'],
]);
echo "Save this secret: {$hook['secret']}" . PHP_EOL;

Webhook signature verification (Slim/Symfony/etc.)

<?php
$raw = file_get_contents('php://input');
$sig = $_SERVER['HTTP_X_COFFRIFY_SIGNATURE'] ?? '';
$v   = Coffrify\Webhook::verify($raw, $sig, getenv('COFFRIFY_WEBHOOK_SECRET'));
if (!$v['valid']) { http_response_code(400); exit($v['reason']); }

match ($v['event']['type']) {
  'transfer.downloaded'    => handleDownload($v['event']),
  'transfer.scan_infected' => quarantine($v['event']),
  default                  => null,
};
http_response_code(200);

The header has the form t=<timestamp>,v1=<hmac_hex>. Verification:

1. Confirms the timestamp is within ±5 minutes (replay protection).
2. Recomputes HMAC-SHA256(secret, "<timestamp>.<raw_body>") in constant time (hash_equals).

API key rotation

$result = $coffrify->apiKeys->rotate('ak_…', 7);
// Save $result['new_key'] now — old key auto-revokes at $result['grace_until']

License

MIT.