A PHP quickstart example demonstrating server-side verification of Approov tokens to ensure API requests originate from trusted mobile apps.
Quickstart Approov integration example for PHP without depending on a framework.
This tool is used by backend developers to integrate Approov token verification into PHP APIs without relying on any framework, ensuring that only requests from verified mobile app instances are processed. It is ideal for securing API endpoints against unauthorized or tampered requests in mobile app ecosystems.
Do not assign a key ID to the Approov secret as the JWT library used does not support symmetric keys with key IDs, which would cause token verification failures. For enhanced security, consider using asymmetric keys (e.g., RS256) instead of the default symmetric HS256 algorithm. Keep the Approov secret secure and never expose it in client-side code.
Set up the Approov CLI following official Approov installation documentation
Register your API domain with Approov CLI using: approov api -add api.example.com
Enable the Approov admin role with: eval `approov role admin` (or set APPROOV_ROLE environment variable on Windows)
Retrieve the Approov secret in base64 format using: approov secret -get base64
Add the Approov secret to your project’s .env file as APPROOV_BASE64_SECRET
Install the firebase/php-jwt package via Composer: composer require firebase/php-jwt
Add the provided PHP code snippet to your project to perform token verificationapproov api -add api.example.com
Registers the API domain with Approov to issue tokens for it
eval `approov role admin`
Enables the Approov admin role in the current shell session
set APPROOV_ROLE=admin:___YOUR_APPROOV_ACCOUNT_NAME_HERE___
Sets the Approov admin role environment variable in Windows PowerShell
approov secret -get base64
Retrieves the Approov secret key in base64 format for token verification
composer require firebase/php-jwt
Installs the PHP JWT library used to decode and verify Approov tokens