TrueLayer/Signing

PHP library to produce & verify TrueLayer API request signatures. If you want to know more about how TrueLayer's signatures work, see this documentation for an explanation.

Installation

Require using composer:

$ composer require truelayer/signing

Usage

Signing

<?php
declare(strict_types=1);

use TrueLayer\Signing\Signer;

$signer = Signer::signWithPemFile('kid-value', '/path/to/privatekey');
$signer->method('POST')
    ->path('/path')
    ->header('Idempotency-Key', 'my-key')
    ->body('stringified request body');
    
$signature = $signer->sign();

You can also sign a PSR-7 request which will automatically compile the signature and add it to the Tl-Signature header.

<?php
declare(strict_types=1);

use TrueLayer\Signing\Signer;

$signer = Signer::signWithPemFile('kid-value', '/path/to/privatekey');
$request = $signer->addSignatureHeader($request)

Verifying

You can use the library to verify signatures as well.

<?php
declare(strict_types=1);

use TrueLayer\Signing\Exceptions\InvalidSignatureException;
use TrueLayer\Signing\Verifier;

$verifier = Verifier::verifyWithPemFile('/path/to/publickey');
$verifier->method('POST')
    ->path('/path')
    ->headers([
        'Idempotency-Key' => 'my-key',
        'Correlation-Id'  => 'my-correlation',
    ])
    ->requireHeaders([
        'User-Agent',
    ])
    ->body('stringified request body');

try {
    $verifier->verify('this is a fake signature');
} catch (InvalidSignatureException $e) {
    throw $e;
}

Loading keys

Depending on your use case, the library allows various ways of instantiating the Signer and the Verifier.