You can use our PHP SDK to:

  • Encrypt data server-side
  • Decrypt data server-side
  • Invoke Functions
  • Proxy requests through Relay

Encrypting/Decrypting data with our backend SDKs instead of Relay may expose you to greater compliance burden because your server handles plaintext data.

Instead you can:

  • Use a Relay to encrypt data before it reaches your server.
  • Use our client-side SDKs to encrypt data before sending it to your server.



The Evervault SDK requires PHP 7.1.0 or later.

The bindings also require the following extensions:

If you install the bindings using Composer, these should automatically be installed. Otherwise, ensure that the extensions are available on your system.

Install SDK

Our PHP SDK is distributed via Composer, or it can be installed manually.

You can install the Evervault PHP bindings using Composer. Simply run the following command:

To use the bindings, use Composer's autoload:

If you'd prefer to not use Composer, you can download our latest release.

Once downloaded, simply include the init.php file from the SDK's root folder.

Initialize SDK

The SDK needs to be initialized with an App's ID and API key. If you don't have one yet, you can get one by creating an App in the Evervault Dashboard.

Encrypt a string

Now that the SDK is initialized, we can encrypt a string.

Full example

Pulling all of this together leaves us with the following working example. You can copy and paste the code below (using a sandbox API key and App ID), run it in your own environment and run the encryption and decryption for yourself.



Encrypts data using Evervault Encryption. Evervault Strings can be used across all of our Primitives. To encrypt data using the PHP SDK, simply pass a string or array into the encrypt() method.

The encrypted data can be stored in your database as normal and can be used with any of Evervault’s other services.

$dataRequiredstring | array

The data to encrypt.


Decrypts data previously encrypted with the encrypt() function or through Relay.

An API key with the decrypt permission must be used to perform this operation.

$encryptedRequiredstring | array

The data to decrypt.

Decrypting data with our backend SDKs is not available if you are part of the PCI or HIPAA compliance use cases

Instead you can:

  • Use Relay to decrypt data before sending it to third-parties.
  • Use Functions or Enclaves to process encrypted data.

$evervault->createClientSideDecryptToken($payload, $expiry)

Client Side Decrypt Tokens are versatile and short-lived tokens that frontend applications can utilise to decrypt data previously encrypted through Evervault. Client Side Decrypt Tokens are restricted to specific payloads.

By default, a Client Side Decrypt Token will live for 5 minutes into the future. The maximum time to live of the token is 10 minutes into the future.

payloadRequiredstring | array

The payload containing encrypted data that the token will be used to decrypt.


The time the token will expire in Epoch seconds.

$evervault->run($functionName, $data)

Lets you invoke an Evervault Function with a given payload.


Name of the function the run token is for.


Payload for the function.


The run() function returns an associative array. This array includes a unique run ID, the status of the execution denoted as success or failure, and, in cases of a successful run, the output generated by the function.

$evervault->createRunToken($functionName, $data)

Creates a single use, time bound token (5 minutes) for invoking an Evervault Function with a given payload. If the payload is an empty object, the Run Token will be valid for any payload.

Run Tokens can be used to invoke an Evervault Function client-side without providing a sensitive API Key.


Name of the Function the Run Token is for.


Payload that the token can be used with.


When you create a Run Token, the SDK will return a JSON object containing your token.

Run Tokens can then be used to authenticate Function runs from the client-side.

The payload used to invoke your Function must be identical to the payload used to create the Run Token.


Configures your application to proxy HTTP requests using Relay for any requests to Relay destinations sent using the cURL handler provided.

Relay must be enabled for a CurlHandle after the destination URL has been set, and before curl_exec() is called.


If the destination URL has been added as an Relay destination in the Evervault Dashboard, any requests sent to this destination using the CurlHandle provided will be proxied through Relay.