Keyfile extends Thing uses KeyfileTrait
A keyfile JSON structure for PRIVATE_KEY_JWT M2M clients.
Returned once by the API on service creation and key rotation, never persisted server-side. The client M2M consumer must save the keyfile locally and use it to sign short-lived JWT bearer assertions exchanged at the IdP's token endpoint for an access token.
The keyfile is auto-sufficient: it carries both the IdP-side material (key, keyId, userId, clientId, type) and the connection metadata (issuer, audience, scope, apiBaseUrl) so a third-party developer can call the API without any additional configuration.
Tags
Table of Contents
Constants
- API_BASE_URL : string = 'apiBaseUrl'
- AUDIENCE : string = 'audience'
- CLIENT_ID : string = 'clientId'
- CONTEXT : string = 'https://schema.org'
- JSON-LD @context declaration for Schema.org.
- ISSUER : string = 'issuer'
- JSON_PRIORITY_KEYS : array<string|int, mixed> = [\org\schema\constants\Schema::AT_TYPE, \org\sc...
- Defines the priority order of keys when serializing the object to JSON-LD.
- KEY : string = 'key'
- KEY_ID : string = 'keyId'
- SCOPE : string = 'scope'
- TYPE : string = 'type'
- USER_ID : string = 'userId'
Properties
- $_from : string|null
- The metadata to indicates the edge 'from' identifier.
- $_id : null|string
- The metadata identifier of the item.
- $_key : null|string
- The metadata unique key identifier of the thing.
- $_rev : null|string
- The metadata revision value of the thing.
- $_to : string|null
- The metadata to indicates the edge 'to' identifier.
- $active : bool|null
- The active flag.
- $additionalType : array<string|int, mixed>|string|null|object
- An additionalType for the item.
- $alternateName : string|object|array<string|int, mixed>|null
- An alias for the item.
- $apiBaseUrl : string|null
- The base URL of the API to call once a token has been acquired (e.g. `https://api.example.com`).
- $appId : string|null
- The app ID (= the `sub` claim of the resulting access token).
- $audience : string|null
- The audience expected in the access token (typically the IdP project identifier — Zitadel `projectId`).
- $clientId : string|null
- OAuth2 clientId of the application.
- $created : null|string
- Date of creation of the resource.
- $description : string|object|array<string|int, mixed>|null
- A short description of the item.
- $disambiguatingDescription : string|null
- A sub property of description. A short description of the item used to disambiguate from other, similar items. Information from other properties (in particular, name) may be necessary for the description to be useful for disambiguation.
- $hasPart : string|Thing|array<string|int, Thing>|null
- Indicates an item that this part of this item.
- $id : null|int|string
- The unique identifier of the item.
- $identifier : string|null
- The identifier of the item.
- $image : string|ImageObject|array<string|int, ImageObject|string>|null
- The image reference of this resource.
- $isPartOf : string|Thing|array<string|int, Thing>|null
- Indicates an item that this item is part of.
- $issuer : string|null
- The IdP issuer URL (e.g. `https://my-org.zitadel.cloud`).
- $key : string|null
- The RSA private key in PEM format (`-----BEGIN RSA PRIVATE KEY-----...`).
- $keyId : string|null
- The keyId that identifies this specific key on the Zitadel side.
- $license : string|object|null
- A legal document giving official permission to do something with the resource.
- $mainEntityOfPage : string|null
- Indicates a page (or other CreativeWork) for which this thing is the main entity being described.
- $modified : null|string
- Date on which the resource was changed.
- $name : int|string|null
- The name of the item.
- $owner : null|string|Thing
- The owner of this Thing.
- $potentialAction : array<string|int, mixed>|Action|null
- Indicates a potential Action, which describes an idealized action in which this thing would play an 'object' role.
- $publisher : string|array<string|int, string|Person|Organization>|Person|Organization|null
- The publisher of the resource.
- $sameAs : string|array<string|int, mixed>|null
- URL of a reference Web page that unambiguously indicates the item's identity.
- $scope : string|null
- The OAuth2 scope to request at the token endpoint (e.g. `openid profile urn:zitadel:iam:org:project:id:<projectId>:aud`).
- $subjectOf : null|string|array<string|int, mixed>|CreativeWork|Event
- A CreativeWork or Event about this Thing.
- $type : string|null
- The keyfile type.
- $url : int|string|null
- URL of the item.
- $userId : string|null
- The IdP user identifier (= the `sub` claim of the resulting access token). Used as both `iss` and `sub` of the JWT bearer assertion.
- $atContext : string|null
- The JSON-LD `@context` value.
- $atType : string|null
- The JSON-LD `@type` value.
- $DEFAULT_JSON_SERIALIZE_OPTIONS : array<string|int, mixed>
- The default static jsonSerialize options (class-level configuration).
- $schemaTypeCache : array<string, string>
- Internal cache for resolved schema types.
Methods
- __construct() : mixed
- Constructor to hydrate public properties from an array or stdClass.
- getJsonSerializeOptions() : array<string|int, mixed>
- Returns the default JSON serialization options.
- getSchemaType() : string
- Returns the fully qualified URI of the schema type.
- jsonSerialize() : array<string|int, mixed>
- Serializes the current object into a JSON-LD array.
- withAtContext() : $this
- Sets the internal JSON-LD `@context` attribute.
- withAtType() : $this
- Sets the internal JSON-LD `@type` attribute.
- withJSONLDMeta() : $this
- Initializes both JSON-LD metadata: `@type` and `@context`.
Constants
API_BASE_URL
public
string
API_BASE_URL
= 'apiBaseUrl'
AUDIENCE
public
string
AUDIENCE
= 'audience'
CLIENT_ID
public
string
CLIENT_ID
= 'clientId'
CONTEXT
JSON-LD @context declaration for Schema.org.
public
string
CONTEXT
= 'https://schema.org'
ISSUER
public
string
ISSUER
= 'issuer'
JSON_PRIORITY_KEYS
Defines the priority order of keys when serializing the object to JSON-LD.
public
array<string|int, mixed>
JSON_PRIORITY_KEYS
= [\org\schema\constants\Schema::AT_TYPE, \org\schema\constants\Schema::AT_CONTEXT, \org\schema\constants\Schema::_KEY, \org\schema\constants\Schema::_FROM, \org\schema\constants\Schema::_TO, \org\schema\constants\Schema::ID, \org\schema\constants\Schema::NAME, \org\schema\constants\Schema::URL, \org\schema\constants\Schema::CREATED, \org\schema\constants\Schema::MODIFIED]
Keys listed here will always appear first in the serialized array, in the order specified. All remaining public properties will be sorted alphabetically after these priority keys.
This ensures that important JSON-LD metadata and system fields
(like @type, @context, _key, id, url, created, modified, etc.)
appear at the top of the output for consistency and readability.
Usage:
$orderedKeys = self::JSON_PRIORITY_KEYS;
Notes:
- Can be overridden in a subclass by redefining the constant.
- Late static binding (
static::JSON_PRIORITY_KEYS) allows child classes to modify the serialization order.
List of JSON-LD keys in priority order.
KEY
public
string
KEY
= 'key'
KEY_ID
public
string
KEY_ID
= 'keyId'
SCOPE
public
string
SCOPE
= 'scope'
TYPE
public
string
TYPE
= 'type'
USER_ID
public
string
USER_ID
= 'userId'
Properties
$_from
The metadata to indicates the edge 'from' identifier.
public
string|null
$_from
$_id
The metadata identifier of the item.
public
null|string
$_id
$_key
The metadata unique key identifier of the thing.
public
null|string
$_key
$_rev
The metadata revision value of the thing.
public
null|string
$_rev
$_to
The metadata to indicates the edge 'to' identifier.
public
string|null
$_to
$active
The active flag.
public
bool|null
$active
$additionalType
An additionalType for the item.
public
array<string|int, mixed>|string|null|object
$additionalType
$alternateName
An alias for the item.
public
string|object|array<string|int, mixed>|null
$alternateName
$apiBaseUrl
The base URL of the API to call once a token has been acquired (e.g. `https://api.example.com`).
public
string|null
$apiBaseUrl
= null
$appId
The app ID (= the `sub` claim of the resulting access token).
public
string|null
$appId
= null
$audience
The audience expected in the access token (typically the IdP project identifier — Zitadel `projectId`).
public
string|null
$audience
= null
$clientId
OAuth2 clientId of the application.
public
string|null
$clientId
= null
Used as iss and sub of the JWT bearer assertion.
$created
Date of creation of the resource.
public
null|string
$created
$description
A short description of the item.
public
string|object|array<string|int, mixed>|null
$description
$disambiguatingDescription
A sub property of description. A short description of the item used to disambiguate from other, similar items. Information from other properties (in particular, name) may be necessary for the description to be useful for disambiguation.
public
string|null
$disambiguatingDescription
$hasPart
Indicates an item that this part of this item.
public
string|Thing|array<string|int, Thing>|null
$hasPart
$id
The unique identifier of the item.
public
null|int|string
$id
$identifier
The identifier of the item.
public
string|null
$identifier
$image
The image reference of this resource.
public
string|ImageObject|array<string|int, ImageObject|string>|null
$image
$isPartOf
Indicates an item that this item is part of.
public
string|Thing|array<string|int, Thing>|null
$isPartOf
$issuer
The IdP issuer URL (e.g. `https://my-org.zitadel.cloud`).
public
string|null
$issuer
= null
The token endpoint is derived as {issuer}/oauth/v2/token.
$key
The RSA private key in PEM format (`-----BEGIN RSA PRIVATE KEY-----...`).
public
string|null
$key
= null
Used to sign the JWT bearer assertion.
$keyId
The keyId that identifies this specific key on the Zitadel side.
public
string|null
$keyId
= null
Used as kid in the JWT header — Zitadel resolves the matching
public key by this id when verifying the assertion.
$license
A legal document giving official permission to do something with the resource.
public
string|object|null
$license
$mainEntityOfPage
Indicates a page (or other CreativeWork) for which this thing is the main entity being described.
public
string|null
$mainEntityOfPage
$modified
Date on which the resource was changed.
public
null|string
$modified
$name
The name of the item.
public
int|string|null
$name
$owner
The owner of this Thing.
public
null|string|Thing
$owner
Represents any entity (person, organization, system, or other object) that can be considered the possessor of this Thing.
$potentialAction
Indicates a potential Action, which describes an idealized action in which this thing would play an 'object' role.
public
array<string|int, mixed>|Action|null
$potentialAction
$publisher
The publisher of the resource.
public
string|array<string|int, string|Person|Organization>|Person|Organization|null
$publisher
$sameAs
URL of a reference Web page that unambiguously indicates the item's identity.
public
string|array<string|int, mixed>|null
$sameAs
E.g. the URL of the item's Wikipedia page, Wikidata entry, or official website.
$scope
The OAuth2 scope to request at the token endpoint (e.g. `openid profile urn:zitadel:iam:org:project:id:<projectId>:aud`).
public
string|null
$scope
= null
$subjectOf
A CreativeWork or Event about this Thing.
public
null|string|array<string|int, mixed>|CreativeWork|Event
$subjectOf
$type
The keyfile type.
public
string|null
$type
= null
$url
URL of the item.
public
int|string|null
$url
$userId
The IdP user identifier (= the `sub` claim of the resulting access token). Used as both `iss` and `sub` of the JWT bearer assertion.
public
string|null
$userId
= null
$atContext
The JSON-LD `@context` value.
protected
string|null
$atContext
= null
Default is https://schema.org.
$atType
The JSON-LD `@type` value.
protected
string|null
$atType
= null
This can be manually set or automatically inferred from the class name.
$DEFAULT_JSON_SERIALIZE_OPTIONS
The default static jsonSerialize options (class-level configuration).
protected
static array<string|int, mixed>
$DEFAULT_JSON_SERIALIZE_OPTIONS
= []
$schemaTypeCache
Internal cache for resolved schema types.
private
static array<string, string>
$schemaTypeCache
= []
Methods
__construct()
Constructor to hydrate public properties from an array or stdClass.
public
__construct([array<string|int, mixed>|object|null $init = null ]) : mixed
This allows objects to be quickly populated with associative data without manually setting each property.
Parameters
- $init : array<string|int, mixed>|object|null = null
-
A data array or object used to initialize the instance. Keys must match public property names.
Tags
getJsonSerializeOptions()
Returns the default JSON serialization options.
public
getJsonSerializeOptions() : array<string|int, mixed>
This method determines how the jsonSerialize() output is reduced or compressed, etc.
It can be overridden in child classes to customize serialization behavior.
Return values
array<string|int, mixed> —Returns the reduction/compression options for JSON serialization.
getSchemaType()
Returns the fully qualified URI of the schema type.
public
static getSchemaType() : string
This method combines the class's CONTEXT constant with its short name
to produce a globally unique identifier for the entity type.
- It uses Late Static Binding to ensure the correct context is retrieved even when called from an inherited class (e.g., Corporation vs. Affiliate).
- Performance Optimization:
Results are stored in a static cache (
$schemaTypeCache) to avoid redundant Reflection calls during the same execution lifecycle.
Return values
string —The absolute URI of the type (e.g., "https://schema.org/Thing"). ** @example
echo Thing::getSchemaType(); // https://schema.org/Thing
echo Affiliate::getSchemaType(); // https://schema.oihana.xyz/Pagination
jsonSerialize()
Serializes the current object into a JSON-LD array.
public
jsonSerialize() : array<string|int, mixed>
Includes public properties, the JSON-LD @context and @type.
Null values are automatically removed.
Tags
Return values
array<string|int, mixed> —JSON-LD representation of the object.
withAtContext()
Sets the internal JSON-LD `@context` attribute.
public
withAtContext(string $context) : $this
Useful if you need a custom JSON-LD context.
Parameters
- $context : string
-
Optional JSON-LD context.
Return values
$thiswithAtType()
Sets the internal JSON-LD `@type` attribute.
public
withAtType(string $type) : $this
Allows overriding the default type inferred from the class.
Parameters
- $type : string
-
Optional JSON-LD type
Return values
$thiswithJSONLDMeta()
Initializes both JSON-LD metadata: `@type` and `@context`.
public
withJSONLDMeta([string|null $atType = null ][, string|null $atContext = null ]) : $this
Can be called from constructor or later to override default values.
Parameters
- $atType : string|null = null
-
Optional JSON-LD type
- $atContext : string|null = null
-
Optional JSON-LD context