Official PHP SDK for Coffrify, encrypted file transfer infrastructure.
PSR-4, no Composer-shipped HTTP layer (uses native ext-curl). PHP 8.1+.
composer require coffrify/coffrify-php<?php
require 'vendor/autoload.php';
$coffrify = new Coffrify\Client(getenv('COFFRIFY_API_KEY'));
$r = $coffrify->transfers->create(
[['name' => 'rapport.pdf', 'size' => 1240000, 'mime_type' => 'application/pdf']],
['expires_in_hours' => 72, 'max_downloads' => 10, 'password' => 's3cret!']
);
echo $r['share_url'] . PHP_EOL;
// Webhooks
$hook = $coffrify->webhooks->create([
'name' => 'Production hook',
'url' => 'https://app.example.com/hooks/coffrify',
'events' => ['transfer.created', 'transfer.scan_infected', 'workspace.payment_failed'],
]);
echo "Save this secret: {$hook['secret']}" . PHP_EOL;<?php
$raw = file_get_contents('php://input');
$sig = $_SERVER['HTTP_X_COFFRIFY_SIGNATURE'] ?? '';
$v = Coffrify\Webhook::verify($raw, $sig, getenv('COFFRIFY_WEBHOOK_SECRET'));
if (!$v['valid']) { http_response_code(400); exit($v['reason']); }
match ($v['event']['type']) {
'transfer.downloaded' => handleDownload($v['event']),
'transfer.scan_infected' => quarantine($v['event']),
default => null,
};
http_response_code(200);The header has the form t=<timestamp>,v1=<hmac_hex>. Verification:
- Confirms the timestamp is within ±5 minutes (replay protection).
- Recomputes
HMAC-SHA256(secret, "<timestamp>.<raw_body>")in constant time (hash_equals).
$result = $coffrify->apiKeys->rotate('ak_…', 7);
// Save $result['new_key'] now — old key auto-revokes at $result['grace_until']MIT.