Support the project: This SDK is downloaded 1M+ times monthly and powers thousands of applications. If it saves you or your team time, please consider sponsoring its development.
Repository move: The project moved from the kreait to the beste GitHub Organization in January 2026.
The namespace remains Kreait\Firebase and the package name remains kreait/firebase-php.
Please update your remote URL if you have forked or cloned the repository.
- Restricted Realtime Database URLs to Firebase-owned hosts and reject non-root URLs with embedded paths, query strings, or fragments while preserving emulator support. Related OWASP Top 10:2025 entry: A02 Security Misconfiguration.
- Added support for Unicode characters in email addresses.
- Added replay-protection verification for App Check tokens via
verifyTokenWithReplayProtection(). The response now includesalreadyConsumedwhen replay protection is used. - Added transitional contract
Kreait\Firebase\Contract\AppCheckWithReplayProtection. This was introduced to preserve backwards compatibility by avoiding a signature change toKreait\Firebase\Contract\AppCheck::verifyToken()in the current major release. - Added dedicated exception
Kreait\Firebase\Exception\AppCheck\FailedToVerifyAppCheckReplayProtectionfor replay-protection verification failures. It extendsKreait\Firebase\Exception\AppCheck\FailedToVerifyAppCheckTokenfor backwards compatibility.
- Added support for
firebase/php-jwt:^7.0.2
- Added
#[SensitiveParameter]attributes to methods handling sensitive data (passwords, tokens, private keys) to prevent them from appearing in stack traces and error logs.
- The SDK supports only actively supported PHP versions. As a result, support for PHP < 8.3 has been dropped; supported versions are 8.3, 8.4, and 8.5.
- Firebase Dynamic Links was shut down on August 25th, 2025 and has been removed from the SDK.
- Deprecated classes, methods and class constants have been removed.
- Method arguments are now fully type-hinted
- Type declarations have been simplified to reduce runtime overhead (e.g.,
Stringable|stringtostring). - The transitional
Kreait\Firebase\Contract\Transitional\FederatedUserFetcher::getUserByProviderUid()method has been moved into theKreait\Firebase\Contract\Authinterface - Realtime Database objects considered value objects have been made final and readonly
psr/loghas been moved from runtime dependencies to development dependenciesKreait\Firebase\Contract\Messaging::BATCH_MESSAGE_LIMITconstant has been removed- Exception codes are no longer preserved when wrapping exceptions
Kreait\Firebase\Messaging\CloudMessagebuilder methods have been renamed to follow thewith*pattern:toToken()->withToken(),toTopic()->withTopic(),toCondition()->withCondition(). The old methods are deprecated but still available as aliases.
See UPGRADE-8.0 for more details on the changes between 7.x and 8.0.
https://github.com/beste/firebase-php/blob/7.24.0/CHANGELOG.md