laravel-iam-contracts
The shared contract layer of the Laravel IAM ecosystem.
Interfaces and immutable value objects that everypadosoft/laravel-iam-*package implements or consumes — and nothing else. No implementations, no Laravel dependency, no runtime dependencies at all (just PHP 8.3+).
This package contains zero behaviour — only the seams the rest of the ecosystem agrees on. Swap the
PDP engine, the key custodian or the passkey verifier without touching a line of consuming code. That is
the whole point of shipping the contracts as a separate package.
What it is — in one minute
Laravel IAM is an Identity & Authorization Control Plane split across many packages: a server, a
client, governance/AI modules, a directory connector, migration bridges, and SDKs in three languages. They
all need to speak the same language:
- What is a subject? →
SubjectRef - How does the PDP decide allow/deny? →
AuthorizationEngine - How is a secret encrypted, a token signed? →
KeyProvider,SecretCipher,TokenSigner - What is an assurance level, a step-up? →
Aal,StepUpProvider - How is a session tracked and revoked? →
SessionRegistry - How is a governance feature gated? →
FeatureScope
laravel-iam-contracts is that language. It is the dependency root of the ecosystem: everything
depends on it, it depends on nothing.
In one line: one tiny, dependency-free package of interfaces and DTOs that makes the entire
platform pluggable — because consumers type against abstractions, never implementations.
Why a separate package of only contracts
Implement AuthorizationEngine against OpenFGA/SpiceDB, KeyProvider against AWS KMS or an HSM, or
FactorVerifier against an external SCA provider — and no consuming code changes.
Server, client and SDKs version on their own cadence; they only have to agree on the contract
version. The dependency graph is a DAG with this package at the root.
A method signature here is a promise to every implementor across the ecosystem. Changing one is a
breaking change — so the package is deliberately small, reviewed, and semver-disciplined.
require is php: ^8.3 only. It installs anywhere and drags nothing in — no illuminate/*, no
transitive surprises for the apps that consume it.
The ecosystem at a glance
This package sits at the bottom of the dependency graph. The server implements the contracts; clients
and SDKs consume them.
| Package | Role |
|---|---|
| laravel-iam-contracts (this repo) | Shared interfaces & DTOs — the dependency root |
| laravel-iam-server | The IAM server: identity, org, Application Registry, PDP (RBAC+ABAC+ReBAC), OAuth/OIDC, audit, governance, Admin API & panel |
| laravel-iam-client | Client for apps consuming Laravel IAM: OIDC login, JWT/JWKS, introspection, iam.auth/iam.can middleware, Gate adapter |
| laravel-iam-ai | Optional AI module: advisory-only governance (redaction + hallucination guard + audit) |
| laravel-iam-directory | Optional directory module: LDAP / Active Directory (LdapRecord) |
| laravel-iam-bridge-spatie-permission | Migration bridge from spatie/laravel-permission: scan, shadow mode, cutover, rollback |
| laravel-iam-node | SDK client Node/TS (@padosoft/laravel-iam-node), thin + fail-closed |
| laravel-iam-react-native | SDK client React Native (@padosoft/laravel-iam-react-native), thin + hooks |
| laravel-iam-rust | SDK client Rust (crate laravel-iam), async + blocking, fail-closed |
Install
composer require padosoft/laravel-iam-contracts
Requirements: PHP 8.3+. No Laravel required — this package is framework-agnostic and
dependency-free. Autoloading is PSR-4 under Padosoft\Iam\Contracts\.
Start here
Implement your first contract — a fail-closed authorization engine — in five minutes. Open →
Decoupling, independent releases, ABI stability — the design argument for a contracts-only package. Read →
Every interface and DTO, grouped by namespace, with exact signatures and who implements / consumes each. Browse →