RequestAttribute uses ConstantsTrait
Conventional PSR-7 request attribute names shared across packages.
PSR-7 lets any middleware attach arbitrary key/value pairs to a request via ServerRequestInterface::withAttribute(). Downstream consumers read those values with ServerRequestInterface::getAttribute().
The constants below standardise the keys used by middlewares (writers) and controllers / traits (readers) so the convention is not duplicated as string literals across packages.
Values are camelCase to match the de-facto PSR-15 ecosystem convention (e.g. Slim, Mezzio, league/route).
Tags
Table of Contents
Constants
- ACCESS_TOKEN : string = 'accessToken'
- Raw access token string (without the scheme prefix) as received from the `Authorization` header. Useful for token introspection, downstream service calls (token relay), or refresh logic.
- AUTH_SCHEME : string = 'authScheme'
- Authentication scheme actually used to authenticate the request (`Bearer`, `Basic`, `OAuth`, ...). See {@see AuthScheme}.
- CORRELATION_ID : string = 'correlationId'
- Correlation identifier propagated across services for end-to-end tracing of a logical operation that spans several requests.
- LOCALE : string = 'locale'
- Resolved locale for the request (e.g. `fr_FR`, `en_US`), usually negotiated from `Accept-Language` and/or user preferences.
- ORGANIZATION_ID : string = 'organizationId'
- Organization identifier (Zitadel-style `org_id`) under which the authenticated user is acting for this request.
- REQUEST_ID : string = 'requestId'
- Unique identifier of the incoming HTTP request, generated by an early middleware. Echoed in responses (e.g. `X-Request-Id` header) and persisted in audit / access logs.
- ROUTE : string = 'route'
- Matched route object/descriptor attached by the router middleware (e.g. Slim `RouteInterface`, league/route `Route`).
- ROUTE_PARAMS : string = 'routeParams'
- Associative array of route parameters captured by the router (e.g. `['id' => '42']` for `/users/{id}`).
- TENANT_ID : string = 'tenantId'
- Tenant identifier under which the request is executed. Used by AQL projection authorizers and tenant-scoped resource lookups.
- TOKEN_TYPE : string = 'tokenType'
- Token type returned by the authorization server (typically `Bearer`, sometimes `DPoP`). See RFC 6749 §5.1 and RFC 9449.
- TRACE_ID : string = 'traceId'
- Distributed tracing identifier (W3C Trace Context `traceparent` or OpenTelemetry trace id) attached to the request.
- USER_CLAIMS : string = 'userClaims'
- Full set of decoded JWT claims, kept on the request so downstream components can read provider-specific or rarely-used claims without re-parsing the token.
- USER_ID : string = 'userId'
- Stable identifier of the authenticated user (typically the Zitadel `sub` claim).
- USER_ROLES : string = 'userRoles'
- Roles granted to the authenticated user (array of strings).
- USER_SCOPES : string = 'userScopes'
- OAuth 2.0 / OIDC scopes granted to the access token (array of strings).
Constants
ACCESS_TOKEN
Raw access token string (without the scheme prefix) as received from the `Authorization` header. Useful for token introspection, downstream service calls (token relay), or refresh logic.
public
string
ACCESS_TOKEN
= 'accessToken'
AUTH_SCHEME
Authentication scheme actually used to authenticate the request (`Bearer`, `Basic`, `OAuth`, ...). See {@see AuthScheme}.
public
string
AUTH_SCHEME
= 'authScheme'
CORRELATION_ID
Correlation identifier propagated across services for end-to-end tracing of a logical operation that spans several requests.
public
string
CORRELATION_ID
= 'correlationId'
LOCALE
Resolved locale for the request (e.g. `fr_FR`, `en_US`), usually negotiated from `Accept-Language` and/or user preferences.
public
string
LOCALE
= 'locale'
ORGANIZATION_ID
Organization identifier (Zitadel-style `org_id`) under which the authenticated user is acting for this request.
public
string
ORGANIZATION_ID
= 'organizationId'
REQUEST_ID
Unique identifier of the incoming HTTP request, generated by an early middleware. Echoed in responses (e.g. `X-Request-Id` header) and persisted in audit / access logs.
public
string
REQUEST_ID
= 'requestId'
ROUTE
Matched route object/descriptor attached by the router middleware (e.g. Slim `RouteInterface`, league/route `Route`).
public
string
ROUTE
= 'route'
ROUTE_PARAMS
Associative array of route parameters captured by the router (e.g. `['id' => '42']` for `/users/{id}`).
public
string
ROUTE_PARAMS
= 'routeParams'
TENANT_ID
Tenant identifier under which the request is executed. Used by AQL projection authorizers and tenant-scoped resource lookups.
public
string
TENANT_ID
= 'tenantId'
TOKEN_TYPE
Token type returned by the authorization server (typically `Bearer`, sometimes `DPoP`). See RFC 6749 §5.1 and RFC 9449.
public
string
TOKEN_TYPE
= 'tokenType'
TRACE_ID
Distributed tracing identifier (W3C Trace Context `traceparent` or OpenTelemetry trace id) attached to the request.
public
string
TRACE_ID
= 'traceId'
USER_CLAIMS
Full set of decoded JWT claims, kept on the request so downstream components can read provider-specific or rarely-used claims without re-parsing the token.
public
string
USER_CLAIMS
= 'userClaims'
USER_ID
Stable identifier of the authenticated user (typically the Zitadel `sub` claim).
public
string
USER_ID
= 'userId'
Posted by the authentication middleware after the JWT has been validated, and read by every downstream component that needs to know "who is making this request" (Casbin enforcement, audit log, capability gating, AQL projection authorizers, ...).
USER_ROLES
Roles granted to the authenticated user (array of strings).
public
string
USER_ROLES
= 'userRoles'
Typically populated from the JWT roles / groups claim or resolved
from an identity provider, and consumed by RBAC enforcement.
USER_SCOPES
OAuth 2.0 / OIDC scopes granted to the access token (array of strings).
public
string
USER_SCOPES
= 'userScopes'
Sourced from the scope / scp JWT claim and used to gate endpoints by scope.