Firebase Php Laravel Package
kreait/firebase-php
Unofficial Firebase Admin SDK for PHP. Manage authentication, users, custom tokens, and verify ID tokens; send Cloud Messaging notifications; work with Realtime Database, Cloud Storage, and Remote Config. Built on Google APIs with Laravel-friendly support.
- Added support for Unicode characters in email addresses.
App Check
- Added replay-protection verification for App Check tokens via
verifyTokenWithReplayProtection(). The response now includesalreadyConsumedwhen replay protection is used. - Added transitional contract
Kreait\Firebase\Contract\AppCheckWithReplayProtection. This was introduced to preserve backwards compatibility by avoiding a signature change toKreait\Firebase\Contract\AppCheck::verifyToken()in the current major release. - Added dedicated exception
Kreait\Firebase\Exception\AppCheck\FailedToVerifyAppCheckReplayProtectionfor replay-protection verification failures. It extendsKreait\Firebase\Exception\AppCheck\FailedToVerifyAppCheckTokenfor backwards compatibility.
[!IMPORTANT] Support the project: This SDK is downloaded 1M+ times monthly and powers thousands of applications. If it saves you or your team time, please consider sponsoring its development.
Added support for firebase/php-jwt:^7.0.2 to remediate the vulnerabilities PKSA-y2cr-5h3j-g3ys and CVE-2025-4659.
[!IMPORTANT] Support the project: This SDK is downloaded 1M+ times monthly and powers thousands of applications. If it saves you or your team time, please consider sponsoring its development.
Added support for firebase/php-jwt:^7.0.2
[!IMPORTANT] Support the project: This SDK is downloaded 1M+ times monthly and powers thousands of applications. If it saves you or your team time, please consider sponsoring its development.
Security improvements
- Added
#[SensitiveParameter]attributes to methods handling sensitive data (passwords, tokens, private keys) to prevent them from appearing in stack traces and error logs.
Breaking changes
- The SDK supports only actively supported PHP versions. As a result, support for PHP < 8.3 has been dropped; supported versions are 8.3, 8.4, and 8.5.
- Firebase Dynamic Links was shut down on August 25th, 2025 and has been removed from the SDK.
- Deprecated classes, methods and class constants have been removed.
- Method arguments are now fully type-hinted
- Type declarations have been simplified to reduce runtime overhead (e.g.,
Stringable|stringtostring). - The transitional
Kreait\Firebase\Contract\Transitional\FederatedUserFetcher::getUserByProviderUid()method has been moved into theKreait\Firebase\Contract\Authinterface - Realtime Database objects considered value objects have been made final and readonly
psr/loghas been moved from runtime dependencies to development dependenciesKreait\Firebase\Contract\Messaging::BATCH_MESSAGE_LIMITconstant has been removed- Exception codes are no longer preserved when wrapping exceptions
Kreait\Firebase\Messaging\CloudMessagebuilder methods have been renamed to follow thewith*pattern:toToken()->withToken(),toTopic()->withTopic(),toCondition()->withCondition(). The old methods are deprecated but still available as aliases.
See UPGRADE-8.0 for more details on the changes between 7.x and 8.0.
7.x Changelog
https://github.com/kreait/firebase-php/blob/7.24.0/CHANGELOG.md
[!IMPORTANT] Support the project: This SDK is downloaded 1M+ times monthly and powers thousands of applications. If it saves you or your team time, please consider sponsoring its development.
Changed
- Realtime Database references are now validated by the API instead of locally. Validation rules can change at any time, and the SDK can only adapt to changes in the API. While local checks could prevent obviously invalid paths, they'd also require an SDK update whenever Firebase loosens a rule. Developers can be trusted not to use invalid paths 😅.
- Removed the
#[SensitiveParameter]attribute again, because it's supported by PHP 8.1 itself, but not in combination with Valinor. (#1034)
[!IMPORTANT] Support the project: This SDK is downloaded 1M+ times monthly and powers thousands of applications. If it saves you or your team time, please consider sponsoring its development.
Require cuyz/valinor:^2.2.1 for better mapping.
Added
- Added support for PHP 8.5
Changed
- The project now features a custom logo (I came up with it myself, and took the wise decision to not look up if there's something similar already)
- Refined README for improved clarity, removed outdated documentation sections, and streamlined project support messaging with a more positive call to action
- Documentation now uses the modern Furo theme, providing a cleaner and more pleasant reading experience
[!IMPORTANT] Support the project: This SDK is downloaded 1M+ times monthly and powers thousands of applications. If it saves you or your team time, please consider sponsoring its development.
Fixed
- Re-added the
#[SensitiveParameter]attribute because, while it's not supported in PHP 8.1, it can still be used if placed in a standalone line above the variable or property. - Re-added support for JSON files with any file extension
- With the introduction of Valinor, Service Account credentials were required to have more fields than necessary to work with the SDK, although it only needs the client email, private key, and project ID.
Fixes
Removed the #[SensitiveParameter] attribute because it's not supported in PHP 8.1.
Changed
This release introduces Valinor for type-safe object mapping. The first application is mapping a given service account file, JSON, or array to the newly added internal ServiceAccount class, with more to follow in future releases.
-
You can now get a user by their federated identity provider (e.g. Google, Facebook, etc.) UID with
Kreait\Firebase\Auth::getUserByProviderUid(). (#1000).Since this method couldn't be added to the
Kreait\Firebase\Contract\Authinterface without causing a breaking change, a new transitional interface/contract namedKreait\Firebase\Contract\Transitional\FederatedUserFetcherwas added. This interface will be removed in the next major version of the SDK.There are several ways to check if you can use the
getUserByProviderUid()method:
use Kreait\Firebase\Contract\Transitional\FederatedUserFetcher;
use Kreait\Firebase\Factory;
$auth = (new Factory())->createAuth();
// The return type is Kreait\Firebase\Contract\Auth, which doesn't have the method
if (method_exists($auth, 'getUserByProviderUid')) {
$user = $auth->getUserByProviderUid('google.com', 'google-uid');
}
if ($auth instanceof \Kreait\Firebase\Auth) { // This is the implementation, not the interface
$user = $auth->getUserByProviderUid('google.com', 'google-uid');
}
if ($auth instanceof FederatedUserFetcher) {
$user = $auth->getUserByProviderUid('google.com', 'google-uid');
}
- The new method
Kreait\Firebase\Factory::withDefaultCache()allows you to set a default cache implementation for the SDK. This is useful if you want to use one cache implementation for all components that support caching. (Documentation)
Deprecated
Kreait\Firebase\Factory::getDebugInfo
What's Changed
- Enable getting a user by their federated IdP UID by @jeromegamez in https://github.com/kreait/firebase-php/pull/1003
- Add and address PHPStan strict rules by @jeromegamez in https://github.com/kreait/firebase-php/pull/1006
- Add previous exceptions to api exceptions by @BackEndTea in https://github.com/kreait/firebase-php/pull/1008
New Contributors
- @BackEndTea made their first contribution in https://github.com/kreait/firebase-php/pull/1008
Full Changelog: https://github.com/kreait/firebase-php/compare/7.19.0...7.20.0
Added
- You can now save on method call by passing a custom Firestore database name to
Kreait\Firebase\Factory::createFirestore($databaseName)instead of having to chain::withFirestoreDatabase($databaseName)->createFirestore() - It is now possible to set live activity tokens in Apns configs.
Kreait\Firebase\Http\HttpClientOptions::withGuzzleMiddleware()andKreait\Firebase\Http\HttpClientOptions::withGuzzleMiddlewares()now accept callable strings, in addition to callables. (#1004)
Deprecated
Kreait\Firebase\Factory::withFirestoreDatabase()
It is now possible to configure multi factor authentication for a user.
FCM Error responses with status code 502 are now caught and converted to ServerUnavailable exceptions.
It wasn't possible to upgrade the SDK to a newer version because it required a lcobucci/jwt release that doesn't support PHP 8.1 anymore. This was fixed by changing the version requirement from ^5.4.2 to ^5.3.
[!IMPORTANT] The SDK is celebrating its 10th anniversary this month! If you’ve found value in my work on this project over the years, I’d be truly grateful if you considered showing your support by becoming a Sponsor. Thank you for helping keep this journey going!
Added
- It is now possible to override the Guzzle HTTP handler by using the
HttpClientOptions::withGuzzleHandler()method. (#956)
Changed
- The Messaging component doesn't rely on the
CloudMessageclass for message handling anymore. If you provide a message as an array and it has an error, the Firebase API will report it. You can still use theCloudMessageclass as a message builder - Deprecated the
CloudMessage::withTarget()method, use the newtoToken(),toTopic()ortoCondition()methods instead
Deprecated
Kreait\Firebase\Messaging\CloudMessage::withTarget()Kreait\Firebase\Messaging\CloudMessage::withChangedTarget()Kreait\Firebase\Messaging\CloudMessage::target()Kreait\Firebase\Messaging\CloudMessage::hasTarget()
Added support for rollout parameter values in Remote Config Templates. (#923), (#927)
Please note that it's not (yet?) possible to create rollouts programmatically via the Firebase API. This means that you have to manually create a rollout in the Firebase console to be able to reference it in the Remote Config template. Rollout IDs are named rollout_<number>, and you can find the ID in the URL after clicking on a rollout in the list.
Added
Added support for PHP 8.4.
[!NOTE] While the SDK supports PHP 8.4, not all dependencies support it. If you want to use the SDK with PHP 8.4, you probably will need to ignore platform requirements when working with Composer, by setting the appropriate environment variables or
composerCLI options when runningcomposer install/update/require.
Deprecated
Firebase Dynamic Links is deprecated and should not be used in new projects. The service will shut down on August 25, 2025. The component will remain in the SDK until then, but as the Firebase service is deprecated, this component is also deprecated. (Dynamic Links Deprecation FAQ)
Changed
- Service Account auto-discovery was done on instantiation of the Factory, causing it to fail when credentials weren't ready yet. It will now be done the first time a component is to be instantiated.
It is now possible to get a Remote Config template by its version number. (#890)
Re-enabled the use of psr/http-message v1.0 (#850)
Added support for PHP 8.3
- Added
Kreait\Firebase\Factory::withFirestoreClientConfig()to support setting additional options when creating the Firestore component. (Documentation) - Added
Kreait\Firebase\Factory::withFirestoreDatabase()to specify the database used when creating the Firestore component. (Documentation)
Changed
- Required transitive dependencies directly (#842)
{
"require": {
// ...
"ext-filter": "*",
"guzzlehttp/promises": "^2.0",
"guzzlehttp/psr7": "^2.6",
"psr/clock": "^1.0",
"psr/http-client": "^1.0",
"psr/http-factory": "^1.0",
"psr/http-message": "^2.0",
}
}
The Kreait\Firebase\Exception\Messaging\NotFound exception now exposes the token that hasn't been found with the token() method. (#825)
Added
- Added FCM error handling to the documentation
The future of the Firebase Admin PHP SDK
Unless funding is found to continue maintaining this project and the underlying SDK, maintenance will be halted.
The cached KeySet used by the AppCheck component didn't use the same Guzzle Config Options as the other clients (#812)
How can I help you explore Laravel packages today?