README

Tiny, framework-agnostic PHP library for Solana public keys and Ed25519 signature verification.

Built for Sign-In With Solana flows where you need to validate a wallet address and verify a detached signature — without pulling in a full Solana SDK.

Installation

composer require sandermuller/solana-pubkey

Requires PHP 8.3+ and ext-sodium. No other runtime dependencies.

Usage

Verify a Solana wallet signature

use SanderMuller\SolanaPubkey\Base58;
use SanderMuller\SolanaPubkey\PublicKey;

$pubkey    = PublicKey::from($walletAddressBase58);
$signature = Base58::decode($signatureBase58);

if ($pubkey->verify($message, $signature)) {
    // signature is valid for $message under $pubkey
}

Construct from raw bytes

use SanderMuller\SolanaPubkey\PublicKey;

$keypair = sodium_crypto_sign_keypair();
$pubkey  = PublicKey::fromBytes(sodium_crypto_sign_publickey($keypair));

echo $pubkey->toBase58();

Base58 encoding

use SanderMuller\SolanaPubkey\Base58;

$encoded = Base58::encode($binary);   // throws nothing
$decoded = Base58::decode($base58);   // throws InvalidBase58Exception on bad input

API surface

See PUBLIC_API.md for the SemVer-governed surface. Anything not listed there is @internal and may change in any release.

Exceptions

All thrown exceptions extend SanderMuller\SolanaPubkey\Exceptions\SolanaPubkeyException (which extends RuntimeException):

PublicKey::verify() returns false (does not throw) for wrong-but-well-formed signatures and tampered messages.

Why this exists

The collectiq/solana-php-sdk is a full Solana SDK (RPC, transactions, Borsh, programs, DID). For SIWS-style auth flows, you only need three primitives: base58 codec, Ed25519 verify, and pubkey validation. This package ships exactly those, with no framework dependencies and no proprietary-license upstream.

Development

composer install
composer test      # Pest
composer qa        # Rector + Pint + PHPStan + lean-package-validator + tests

License

MIT — see LICENSE.