sendity / laravel-auth
Laravel app integration for hosted or self-hosted Sendity
Maintainers
Requires
- php: >=8.2
- ext-json: *
- illuminate/auth: ^12.0|^13.0
- illuminate/cache: ^12.0|^13.0
- illuminate/http: ^12.0|^13.0
- illuminate/support: ^12.0|^13.0
- illuminate/view: ^12.0|^13.0
Requires (Dev)
- orchestra/testbench: ^10.0|^11.0
- phpunit/phpunit: ^11.5
README
Laravel host-application integration for Sendity.
composer require sendity/laravel-auth
This package is intentionally not the self-hosted Sendity server. It owns the backend Laravel authentication glue and includes an optional Blade component for normal server-rendered Laravel apps:
- resolves the configured Sendity server URL;
- validates RS256 result JWTs issued by the Sendity server;
- exchanges browser authorization tokens into normal Laravel web sessions;
- provisions or reuses Eloquent users through a configurable resolver;
- rejects replayed login tokens;
- exposes a stateless
sendityauth guard for advanced Bearer-token requests; - registers the optional
<x-sendity />Blade wrapper for the Sendity Custom Element.
Configuration
Publish the config:
php artisan vendor:publish --tag=sendity-config
Relevant environment variables:
SENDITY_SERVER_URL=https://sendity.io/api/sendity
SENDITY_ISSUER=https://sendity.io
SENDITY_AUDIENCE="${APP_URL}"
SENDITY_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----..."
SENDITY_APP_PUBLIC_KEY=sendity-customer-area
SENDITY_LOGIN_REDIRECT=/dashboard
SENDITY_AUDIENCE should match the public key / app id used when creating auth requests. SENDITY_PUBLIC_KEY accepts either a PEM public key string or a readable file path.
Blade component
For a typical Laravel app, render the hosted widget directly:
<x-sendity />
The component emits the public Custom Element contract (server-url, public-key, verify-urls, transport) and loads the client script once per page. Useful config keys:
'ui' => [
'enabled' => true,
'component' => 'sendity',
'public_key' => env('SENDITY_APP_PUBLIC_KEY'),
'server_url' => env('SENDITY_SERVER_URL', 'https://sendity.io/api/sendity'),
'verify_urls' => ['mailto:verify@sendity.io'],
'client_script_url' => 'https://sendity.io/vendor/sendity-client/index.js',
'transport' => 'polling',
],
API-only Laravel installations can disable UI registration:
SENDITY_UI_ENABLED=false
Browser session login
By default the package registers:
POST /sendity/session
The route validates an authorization field, verifies the JWT, creates or reuses your configured user model, logs the user into Laravel's normal web guard, regenerates the session and returns:
{
"redirect": "/dashboard"
}
Important config keys:
'login_route' => [
'enabled' => true,
'uri' => 'sendity/session',
'name' => 'sendity.session',
'middleware' => ['web', 'throttle:10,1'],
],
'login_redirect' => '/dashboard',
'allowed_identifier_types' => ['email'],
'user_model' => App\Models\User::class,
'user_identifier_column' => 'email',
'user_name_column' => 'name',
'user_verified_at_column' => 'email_verified_at',
'create_users' => true,
'mark_verified' => true,
For custom account lookup / provisioning, bind or configure a resolver implementing Sendity\Laravel\SendityUserResolver.
You can also inject Sendity\Laravel\SenditySessionAuthenticator into your own controller when you want full route ownership.
Guard
The sendity guard is for advanced Bearer-token endpoints where the request principal is the Sendity identity itself, not your app's Eloquent user/session.
Register a Laravel guard in your app config:
'guards' => [
'sendity' => [
'driver' => 'sendity',
],
],
Then protect routes with auth:sendity or resolve the guard manually:
$user = Auth::guard('sendity')->user();
$user->identifier; // verified email/phone
$user->identifierType; // email|phone
$user->channel; // email|whatsapp|...
$user->authRequestId; // Sendity auth request id
Boundary
Use sendity/laravel-server only for the self-hosted server package. It must stay UI-free. sendity/laravel-auth is the host-app adapter and owns the <x-sendity /> alias.