--- title: PHP Server SDK --- # PHP Server SDK Official PHP server-side SDK — published as [`captchala/captchala-php`](https://packagist.org/packages/captchala/captchala-php) on Packagist. Three jobs the SDK handles for you: 1. **Validate** — verify a `pt_` pass token from the browser SDK. 2. **Issue** — mint a one-time `sct_` server token to bind the upcoming challenge to a specific action / IP / UID. 3. **Moderate** — multi-modal (text + image) content moderation against the same OpenAI-compatible pipeline the dashboard uses. ## Install ```bash composer require captchala/captchala-php ``` Requires **PHP ≥ 8.0** with `ext-json`. Uses cURL when available, falls back to `file_get_contents`. ## Validate (`pt_` token) Pass the end-user's IP as the third argument (from `CF-Connecting-IP` / `X-Forwarded-For`, falling back to `REMOTE_ADDR`). Optional, but **recommended** — it's used for additional risk checks. ```php use Captchala\Client; $client = new Client('your_app_key', 'your_app_secret'); $result = $client->validate($_POST['captcha_token'], false, captchala_client_ip()); if (!$result->isValid()) { http_response_code(400); exit($result->getError()); // e.g. "token_expired" } // Verification passed; proceed with the request. // $result->getCaptchaArgs() has platform / user_ip / referer / pkg / solved_at / risk_score // Real end-user IP behind a CDN / proxy function captchala_client_ip(): string { foreach (['HTTP_CF_CONNECTING_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR'] as $h) { if (!empty($_SERVER[$h])) { $ip = trim(explode(',', $_SERVER[$h])[0]); if (filter_var($ip, FILTER_VALIDATE_IP)) return $ip; } } return ''; } ``` No IP handy? Use `$client->validate($_POST['captcha_token'])` — it still verifies, just without the extra IP-based risk signal. If you issued the original `server_token` with `bind_uid`, compare the `uid` returned with the user you actually expect: ```php if ($result->getUid() !== $expectedUserId) { http_response_code(400); exit('user mismatch'); } ``` ## Issue a server token For high-value flows (login, register, payment) the recommended pattern is: backend mints a one-time `sct_` token, hands it to the browser, browser passes it as the `serverToken` prop. Each token is single-use, action-scoped, and optionally bound to IP / UID at issuance time. ```php $issue = $client->issueServerToken( action: 'login', bindingIp: $request->ip(), ttl: 300, // seconds; default 300 maxUses: 5, // SDK retry budget bindUid: $user->id, // pair with ValidateResult::getUid() on verify ); if (!$issue->isOk()) { return ['error' => $issue->getError()]; // rate_limit_exceeded, invalid_action, ... } return ['server_token' => $issue->getToken()]; // hand to browser ``` ## Moderate content Multi-modal — accepts a mix of text and image URLs in OpenAI-compatible format: ```php $result = $client->moderationCheck([ ['type' => 'text', 'text' => $userComment], ['type' => 'image_url', 'image_url' => ['url' => $uploadedImageUrl]], ], userId: $user->id); if (!$result->isOk()) { // request error: invalid_credentials, no_content, transport failure, ... return ['error' => $result->getError()]; } if ($result->isFlagged()) { // upstream model flagged; inspect categories for the why if ($result->hasCategory('violence', 'csam')) { // hard block } } ``` Plain-text shortcut: ```php $result = $client->moderationText('user comment here', userId: $user->id); ``` Categories are model-defined (e.g. `violence`, `hate`, `sexual`, `self-harm`); iterate `getCategories()` defensively rather than hard-coding a fixed set. ## Result classes | Class | Methods | |---|---| | `ValidateResult` | `isValid()`, `getError()`, `getUid()`, `getChallengeId()`, `getAction()`, `isOffline()`, `isClientOnly()`, `getWarning()`, `toArray()` | | `IssueResult` | `isOk()`, `getToken()`, `getExpiresIn()`, `getIssuedAt()`, `getError()`, `getMessage()`, `toArray()` | | `ModerationResult` | `isOk()`, `isFlagged()`, `hasCategory(...$names)`, `getCategories()`, `getContentType()`, `getRaw()`, `getError()`, `getMessage()`, `toArray()` | ## Links - [Packagist](https://packagist.org/packages/captchala/captchala-php) · [GitHub](https://github.com/Captcha-La/captchala-php) - [Web SDK overview](/web-sdk) · [API Reference](/api-reference)