Name: quickstart-php-laravel-token-check
Author: approov

Primary Use Case

This tool is used by backend developers integrating Approov API security into PHP Laravel applications to authenticate and verify that incoming API requests come from legitimate mobile app instances. It provides a ready-made middleware example to quickly implement Approov token validation and protect API endpoints from unauthorized access.

Key Features

Server-side verification of Approov tokens in PHP Laravel

Middleware implementation for request authentication

Support for symmetric (HS256) and asymmetric (RS256) token verification

Integration with firebase/php-jwt library for JWT handling

Configuration via environment variables and Laravel config files

Compatibility tested on Ubuntu, MacOS, and Windows WSL2

Step-by-step CLI commands for Approov API domain registration and secret retrieval

Insights & Recommendations

By default, a symmetric key (HS256) is used for token signing, which requires careful secret management on the backend. For enhanced security, it is recommended to use asymmetric keys (e.g., RS256) to separate signing and verification keys. The JWT library used does not support passing symmetric keys as JWKs, so avoid setting an Approov key ID for the secret. This quickstart is framework-specific for Laravel but can be adapted from the framework-agnostic PHP example if needed.

Installation

Install and initialize the Approov CLI following official documentation
Register your API domain with Approov CLI using `approov api -add api.example.com`
Set the Approov admin role with `eval `approov role admin`` or `set APPROOV_ROLE=admin:___YOUR_APPROOV_ACCOUNT_NAME_HERE___` on Windows PowerShell
Retrieve the Approov secret with `approov secret -get base64`
Add the Approov secret to your Laravel project’s `.env` file as `APPROOV_BASE64_SECRET`
Create a Laravel config file `config/approov.php` to load and decode the secret
Install the JWT library with `composer require firebase/php-jwt`
Add the Approov middleware class to `app/Http/Middleware/Approov.php` in your Laravel project

Usage

approov api -add api.example.com

Registers the API domain with Approov to issue tokens for that domain.

eval `approov role admin`

Enables the Approov admin role in the current shell session (Linux/MacOS).

set APPROOV_ROLE=admin:___YOUR_APPROOV_ACCOUNT_NAME_HERE___

Sets the Approov admin role environment variable in Windows PowerShell.

approov secret -get base64

Retrieves the Approov secret in base64 encoding for use in backend verification.

Smart Usage Notes

Integrate Approov token validation middleware early in the API request lifecycle to prevent unauthorized access.Combine with mobile app attestation and runtime integrity checks for enhanced API security.Leverage asymmetric key verification (RS256) to reduce risk of secret compromise on backend servers.Automate secret rotation and Approov CLI domain management in CI/CD pipelines to maintain security hygiene.Use Approov logs and telemetry to detect anomalous API usage patterns and potential abuse.

OpenSec Atlas

quickstart-php-laravel-token-check

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like