Prisma PHP Logo

Server Functions, Exposed Securely

Call PHP functions from your frontend as if they were local JavaScript functions. Protected by the #[Exposed] attribute.

Attribute Security

Functions are private by default. You must explicitly opt-in using PHP 8 Attributes to expose them to the client.

Built-in Auth Checks

Stop writing if (!$user) return;. Just add requiresAuth: true and the framework handles the guard.

Role Based Access

Granular control. Restrict execution to specific roles like ['admin', 'editor'] directly in the function signature.

Security & Authentication

Control who can access your backend logic using PHP Attributes.

Require Authentication 
use PP\Attributes\Exposed;

// Only logged in users can call this
#[Exposed(requiresAuth: true)]
function getUserProfile() {
    return Auth::user();
}
Role Based Access (RBAC) 
use PP\Attributes\Exposed;

// Implies requiresAuth: true
#[Exposed(allowedRoles: ['admin', 'editor'])]
function deletePost($args) {
    // Safe to perform admin action
    Post::delete($args->id);
}
How it works: If a user tries to call a function they don't have access to, the server rejects the request immediately. The client will automatically receive a redirection instruction to the login page if requiresAuth fails.

Data Flow Example

Backend (PHP)
server-side 
<?php
use PP\Attributes\Exposed;

#[Exposed]
function updateUser($data) {
    // $data is an object automatically
    $email = $data->email;

    return [
        'success' => true,
        'msg' => "Updated $email"
    ];
}
?>
Frontend (JS)
client-side 
<script>
    async function save() {
        const res = await pp.fetchFunction(
            'updateUser', 
            { email: 'john@doe.com' }
        );

        if (res.success) {
            console.log(res.msg); 
        }
    }
</script>

Client API Reference

Method Signature TypeScript Definition 
fetchFunction<T = any>(
  functionName: string, 
  data: Record<string, any> = {}, 
  abortPrevious: boolean = false
): Promise<T | string>
  • functionName The exact name of the PHP function. Support namespaces for static methods (e.g., User::update).
  • data Object containing arguments. Supports nested objects, arrays, and File objects (automatically handled as multipart/form-data).
  • abortPrevious Boolean. If true, cancels any pending requests from this caller. Perfect for search inputs or filters to prevent race conditions.

Zero-Config File Uploads

Prisma detects File objects in your payload and automatically switches the content-type. No need for FormData construction.

Auto-Response Parsing

PHP arrays are automatically converted to JSON objects on the frontend. Strings and booleans are preserved.