Header
Header
Header-based session token transport.
class Header implements \Hazaar\Auth\Session\Transport\SessionTransportHandles extracting session tokens from inbound auth headers and optionally emitting outbound advisory token headers.
Properties
options
Options for configuring the header transport.
private array $optionsMethods
__construct
Constructor for HeaderTransport.
public __construct(array $config): voidInbound token extraction defaults to standard Authorization headers:
- Access token:
Authorization: Bearer <token> - Refresh token:
Authorization: Refresh <token>
Outbound token emission is optional (emit_headers) and uses advisory headers by default:
X-Auth-Access-TokenX-Auth-Refresh-Token
Parameters
| Parameter | Type | Description |
|---|---|---|
$config | array |
extractToken
Extracts the token from the configured HTTP request header.
public extractToken(array $options): ?stringWhen a non-empty prefix is configured (e.g. Bearer), the header value must start with <prefix> and the token is the remainder. When the prefix is empty, the raw header value is returned as-is.
Parameters
| Parameter | Type | Description |
|---|---|---|
$options | array |
extractRefreshToken
Extracts the refresh token from configured inbound refresh header options.
public extractRefreshToken(array $options): ?stringParameters
| Parameter | Type | Description |
|---|---|---|
$options | array |
persistToken
Persists the access token as an outbound advisory response header.
public persistToken(Response $response, ExpiringToken $token, array $options): voidBecause this is a client-managed transport, the server cannot guarantee the client will store or resend this header. A debug notice is logged as a reminder. When the prefix is empty (default), the token is written as the bare header value; otherwise it is prefixed as <prefix> <token>.
Parameters
| Parameter | Type | Description |
|---|---|---|
$response | Response | the response object where the header will be set |
$token | ExpiringToken | the authentication token to be persisted |
$options | array | optional settings for token persistence |
persistRefreshToken
Persists the refresh token in a dedicated outbound advisory response header.
public persistRefreshToken(Response $response, ExpiringToken $refreshToken, array $options): voidParameters
| Parameter | Type | Description |
|---|---|---|
$response | Response | the response object to which the header will be added |
$refreshToken | ExpiringToken | the refresh token to persist |
$options | array | optional parameters for token persistence |
clearToken
Clears the advisory token headers from the response.
public clearToken(Response $response, array $options): voidRemoves both the access-token and refresh-token headers so stale tokens are not forwarded to the client on logout or session expiry.
Parameters
| Parameter | Type | Description |
|---|---|---|
$response | Response | |
$options | array |
persistenceMode
Returns {@see TransportPersistence::ClientManaged} because HTTP headers
public persistenceMode(): TransportPersistenceare not stored or replayed by browsers automatically. The client must capture advisory token headers and include them on subsequent requests.
Generated by Hazaar API Doc Generator on Tue, 21 Apr 2026 04:00:24 +0000