Version 3.0.0 — Now Available

WebGuard Documentation

Advanced PHP Login and User Management System built on CodeIgniter 4. Secure, extensible, and production-ready with multi-language support, OAuth, 2FA, SSO, REST API, and a full add-on system.

CI 4.7+
Framework
PHP 8.3+
Requirement
20+
Languages
REST API
Built-in
Add-ons
Extensible

Introduction

Everything you need to know about WebGuard and what it offers.

WebGuard is a complete PHP authentication and user management platform built on top of CodeIgniter 4. It provides a solid, secure foundation so you can focus on building your application instead of re-implementing authentication logic from scratch.

Designed for developers, WebGuard ships with a clean admin panel, REST API, group-based permission system, multi-language support, OAuth/Social login, Two-Factor Authentication, Single Sign-On, a notification engine, and a full add-on/hook system that lets you extend the platform without touching core files.

Secure by Default
CSRF protection, rate limiting, bcrypt hashing, and HTTPS-ready configuration out of the box.
REST API
JWT-based API with token management, route protection, and built-in rate limiting.
Add-on System
Hook-based extensibility. Install, activate, and deactivate modules without modifying core code.
20+ Languages
Full i18n support. Ships with English, Portuguese, Spanish, Arabic, Chinese, French, German, and more.
OAuth & SSO
Social login with Google, Facebook, GitHub, and more. SSO with token-based session handoff.
2FA Support
TOTP-based two-factor authentication with QR code generation and backup codes.
License: WebGuard is a premium CodeCanyon item. A valid license is required for production use. Each license covers one domain.

What's New in v3.0.0

A major release with new features, improvements, and breaking changes.

WebGuard v3.0.0 is the largest release to date. It introduces a fully redesigned add-on/hook system, WhatsApp notifications, storage gateway support, 12 new languages, and significant security and performance improvements.

NEW New Features

  • Add-on / Hook system with permission-based visibility
  • WhatsApp notification channel
  • Storage gateway abstraction layer
  • Impersonate user with session restore
  • 12 new interface languages (DE, FR, IT, JA, KO, ZH, RU, PL, TR, HI, ID, AR)
  • Error pages 400, 403, 404, 503
  • SSO token-based authentication
  • Module permission control per user group

IMPROVED Improvements

  • Redesigned admin UI with modern components
  • Notification system with email, SMS, and WhatsApp
  • JWT helper rewritten for better token validation
  • User group rules now control add-on hook visibility
  • Settings panel reorganized with tabs
  • Datatable columns now support hook-injected data
  • Profile page with Select2 dropdowns
  • SweetAlert upgraded to v2 across all views

SECURITY Security Enhancements

  • Throttler filter applied to all auth routes
  • CSRF token refresh on each request
  • Password hashing upgraded to PHP password_hash()
  • Demo mode prevents data mutation
  • Impersonate flow validates session integrity
  • API endpoints secured with JWT expiry checks

BREAKING Breaking Changes

  • Minimum PHP version raised to 8.1
  • CodeIgniter upgraded to 4.6+
  • SweetAlert v1 swal() replaced with Swal.fire()
  • Add-on hooks without group permission are now hidden by default
  • Database migrations must be re-run for new tables
  • session()->get('token') is now updated on impersonate

Requirements

Server and environment prerequisites before installing WebGuard.

ComponentMinimumRecommendedNotes
PHP8.18.3Extensions: intl, mbstring, json, curl, gd, xml
CodeIgniter4.6.0Latest 4.xIncluded in package
MySQL5.78.0+MariaDB 10.4+ also supported
Web ServerApache / NginxNginxmod_rewrite required on Apache
Composer2.xLatestRequired for dependency management

Required PHP Extensions

intl
Internationalization support
mbstring
Multi-byte string handling
curl
OAuth & external API calls
gd
Image processing for avatars
json
JSON encode / decode
openssl
JWT signing & encryption

Install on a Standard Server

Deploy WebGuard to a VPS, shared hosting, or cloud server.

1
Upload the files
Upload all files from the upload folder to your server's web root (e.g., /public_html/ or /var/www/html/).
2
Create a MySQL database
Create a new database and user via cPanel, phpMyAdmin, or the command line. Note the database name, username, and password.
3
Configure the .env file
Rename env to .env and update the following values:
.env
# App
CI_ENVIRONMENT = production
app.baseURL = 'https://yourdomain.com/'
app.appTimezone = 'America/Sao_Paulo'

# Database
database.default.hostname = localhost
database.default.database = your_database
database.default.username = your_user
database.default.password = your_password
database.default.DBDriver = MySQLi

# Security
encryption.key = hex2bin:YOUR_HEX_KEY_HERE
4
Run database migrations
Open your browser and navigate to https://yourdomain.com/install to run the setup wizard, or run migrations via CLI:
bash
# 1. Run migrations
php spark migrate --all

# 2. Run seeds
php spark db:seed DataSeeder
5
Log in
Navigate to your domain and log in with the default credentials. Change them immediately after first login.
FieldDefault Value
Email[email protected]
Password12345678
Security: Always change the default credentials before going to production. Remove the /install route from app/Config/Routes.php after setup.

Install on Localhost (XAMPP / WAMP)

Set up a local development environment for WebGuard.

1
Copy files to htdocs / www
Copy the extracted package to C:\xampp\htdocs\webguard\ (XAMPP) or C:\wamp\www\webguard\ (WAMP).
2
Configure .env for localhost
Update the .env file with your local settings:
.env
CI_ENVIRONMENT = development
app.baseURL = 'http://localhost/webguard/public/'

database.default.hostname = localhost
database.default.database = webguard
database.default.username = root
database.default.password = 
database.default.DBDriver = MySQLi
On localhost the baseURL must point to the /public/ directory. Do not change it to the project root.

Install in a Subfolder

Run WebGuard at https://yourdomain.com/app/ instead of the root.

1
Upload to a subfolder
Upload all files to /public_html/app/.
2
Update baseURL
Set the baseURL to include the subfolder path:
.env
app.baseURL = 'https://yourdomain.com/app/public/'
Apache users: Make sure mod_rewrite is enabled and the .htaccess file inside the public/ directory is present and not blocked.

CI4 Native Install

Install WebGuard as a Composer package inside an existing CodeIgniter 4 project.

If you already have a CI4 project and want to integrate WebGuard's auth layer, use the native install method:

bash
# 1. Clone or copy WebGuard files into your project
cp -r webguard/app/* your-project/app/

# 2. Install dependencies
composer install

# 3. Run migrations
php spark migrate --all

# 4. Run seeds
php spark db:seed DataSeeder

# 5. Start development server
php spark serve
When integrating into an existing CI4 project, ensure there are no conflicts in app/Config/Routes.php and app/Config/App.php.

Using the REST API

Authenticate and consume WebGuard's built-in REST API from any client.

Authentication

All protected API routes require a Bearer token in the Authorization header. Obtain a token by posting credentials to the login endpoint:

POST /api/auth/login Returns a JWT access token
JSON Request
{
  "email": "[email protected]",
  "password": "your_password"
}
JSON Response
{
  "status": "success",
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
  "user": {
    "id": 1,
    "name": "Admin",
    "email": "[email protected]",
    "group": "admin"
  }
}

Using the Token

cURL
curl -X GET https://yourdomain.com/api/users \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." \
  -H "Content-Type: application/json"

Creating REST Endpoints

Add new protected API routes to WebGuard.

1
Create a controller in app/Controllers/Api/
Extend BaseController and use the JwtFilter to protect the route.
PHP — app/Controllers/Api/Products.php
namespace App\Controllers\Api;

use App\Controllers\BaseController;

class Products extends BaseController
{
    public function index()
    {
        $data = [
            ['id' => 1, 'name' => 'Widget', 'price' => 9.99],
        ];

        return $this->response
            ->setStatusCode(200)
            ->setJSON(['status' => 'success', 'data' => $data]);
    }
}
2
Register the route with JWT filter
PHP — app/Config/Routes.php
$routes->group('api', ['filter' => 'jwt'], function($routes) {
    $routes->get('products', 'Api\Products::index');
});

Creating CRUD Modules

Use the built-in Maker tool to scaffold a full CRUD module in seconds.

WebGuard includes a Code Maker tool at /tools/maker that generates all the boilerplate for a new CRUD module: migration, model, controller, views, routes, and language keys.

1
Go to Tools → Code Maker
In the admin panel, navigate to Tools → Code Maker and fill in the module name and fields.
2
Define your fields
Add each database column: name, type (VARCHAR, TEXT, INT, etc.), and whether it's required.
3
Generate & Download
Click Generate to download a ZIP with the complete module. Extract it into your project and run php spark migrate.
4
Add to the navigation menu
Go to Tools → Menu Editor and add a link to your new module's index route.
The generated module is fully integrated with WebGuard's permission system. Assign access via Settings → Groups.

Creating Add-ons

Extend WebGuard without touching core files using the hook system.

WebGuard v3.0.0 features a powerful hook-based add-on system. Add-ons live in app/Modules/ and are registered in app/Modules/Modules.json. They can inject content into predefined hook points throughout the UI and control which user groups can see their hooks.

Add-on File Structure

Structure
app/Modules/
└── MyAddon/
    ├── app.json          # Manifest & hook definitions
    ├── Controllers/
    │   └── MyAddon.php
    ├── Models/
    │   └── MyAddonModel.php
    ├── Views/
    │   ├── index.php
    │   └── hooks/
    │       └── user_list_action.php
    └── Database/
        └── Migrations/

app.json Manifest

JSON — app/Modules/MyAddon/app.json
{
  "name": "My Addon",
  "description": "A sample WebGuard add-on",
  "type": "module",
  "author": "Your Name",
  "homepage": "https://example.com",
  "license": "MIT",
  "version": "1.0.0",
  "requires": {
    "webguard": ">=3.0.0"
  },
  "directory": "MyAddon",
  "menu": [
    {
      "icon": "fas fa-puzzle-piece",
      "title": "App.menu_myaddon",
      "children": [
        {
          "title": "App.menu_myaddon_list",
          "url": "myaddon",
          "external": false
        },
        {
          "title": "App.menu_myaddon_add",
          "url": "myaddon/add",
          "external": false
        }
      ]
    }
  ],
  "hooks": [
    {
      "point": "user_list_actions",
      "actions": [
        {
          "label": "View Tasks",
          "url": "myaddon?user={token}",
          "icon": "fas fa-tasks"
        }
      ]
    },
    {
      "point": "settings_tab_nav",
      "view": "MyAddon/Views/hooks/settings_tab"
    }
  ]
}
FieldRequiredDescription
nameYesDisplay name of the add-on
descriptionNoShort description of the add-on
typeYesMust be "module"
authorNoAuthor name
homepageNoAuthor or project URL
licenseNoLicense identifier (e.g. "MIT")
versionYesSemantic version string (e.g. "1.0.0")
requires.webguardNoMinimum WebGuard version constraint (e.g. ">=3.0.0")
directoryYesFolder name inside app/Modules/ — alphanumeric + underscore only, cannot be a reserved name
menuYesArray of sidebar menu entries injected under the Modules divider
hooksNoArray of hook definitions (view or actions mode)

menu[] fields

FieldRequiredDescription
iconYesFontAwesome class (e.g. "fas fa-puzzle-piece")
titleYesTranslation key (e.g. "App.menu_myaddon")
childrenYes*Submenu items — if present, url/external are not needed on the parent
urlYes*Route URL — only when there are no children
externalYes*true opens in a new tab — only when there are no children

menu[].children[] fields

FieldRequiredDescription
titleYesTranslation key
urlYesRoute URL (relative to site root)
externalYestrue opens in a new tab; false uses site_url()

Permission-based Hook Visibility

In v3.0.0, hooks are only shown to users whose group is listed in the add-on's rules array in Modules.json. An empty rules array means no one sees the hooks.

JSON — app/Modules/Modules.json
[
  {
    "name": "My Addon",
    "directory": "MyAddon",
    "status": true,
    "rules": ["115b5ad39b853084209caf6824224f6b"]
  }
]
The rules array contains group tokens (not group names). Find the token in Settings → Groups or directly in the user_group table. You can also add "permission" to individual hooks for finer-grained control.

Available Hook Points

Hook PointLocationMode
user_list_actionsUser list dropdown per rowactions / view
user_list_columns_headerUser list table headeractions (tag: th)
user_list_columns_dataUser list table row dataview
user_form_extra_fieldsUser add/edit formview
user_form_actionsUser form action buttonsactions
settings_tab_navSettings page tab navigationview
settings_tab_contentSettings page tab contentview
notification_form_extraNotification form extra fieldsview

Creating Languages

Add a new interface language to WebGuard.

1
Copy the English language folder
Duplicate app/Language/en/ and rename it to your language code (e.g., de for German).
2
Translate the strings in App.php
Open app/Language/de/App.php and translate all values. Keep the array keys unchanged.
3
Register the language in the settings
Add the language option to the language selector in app/Views/themes/backend/focus2/layout/main.php and in app/Views/themes/backend/focus2/form/profile/index.php.
WebGuard v3.0.0 ships with 20+ languages: English, Portuguese, Spanish, Arabic, Chinese, French, German, Italian, Japanese, Korean, Polish, Russian, Turkish, Hindi, Indonesian, and more.

Two-Factor Authentication (2FA)

Enable TOTP-based 2FA for admin and user accounts.

1
Enable 2FA in Settings
Go to Settings → Security and toggle Two-Factor Authentication on.
2
Users configure from their Profile
Each user goes to Profile, scrolls to the 2FA section, enables it, and scans the QR code with an authenticator app (Google Authenticator, Authy, etc.).
3
Save backup codes
After scanning the QR code, users must download the backup codes and store them securely. These codes can be used if the authenticator device is lost.
Backup codes are shown only once. If a user loses both their authenticator and backup codes, an administrator must disable 2FA manually from the user edit page.

OAuth / Social Login

Allow users to sign in with Google, Facebook, GitHub, and other providers.

1
Create OAuth credentials
Create an OAuth application in the provider's developer console (e.g., Google Cloud Console, GitHub Developer Settings). Set the callback URL to https://yourdomain.com/sso/callback/PROVIDER.
2
Configure in Settings → OAuth
In the admin panel go to Settings → OAuth, select the provider, enter your Client ID and Client Secret, and enable it.
ProviderCallback URLStatus
Google/sso/callback/googleSupported
Facebook/sso/callback/facebookSupported
GitHub/sso/callback/githubSupported
Microsoft/sso/callback/microsoftSupported
LinkedIn/sso/callback/linkedinSupported

Single Sign-On (SSO)

Authenticate users from an external system via token handoff.

WebGuard implements a broker-based SSO model. WebGuard acts as the SSO Server (identity provider). External applications act as Brokers — they delegate authentication to WebGuard via a shared secret key, without ever handling user passwords directly.

Enable SSO and set the Secret Key in Settings → SSO before using any of the endpoints below.

Broker Flow (step by step)

1
Broker generates a random token and attaches its session
The broker generates a unique token (random string), computes a checksum, and redirects the user's browser to:

GET /sso/attach?broker=MY_BROKER&token=TOKEN&checksum=HMAC&return_url=https://myapp.com/after-attach

WebGuard links the broker's token to a server-side session and redirects back to return_url.
2
Broker checks if the user is already logged in
After attach, the broker calls:

GET /sso/verify — with header Authorization: SSO-Broker MY_BROKER:TOKEN

WebGuard returns the user object (200) if a session exists, or 204 No Content if no one is logged in yet.
3
Broker logs the user in
If verify returns 204, the broker submits the user's credentials:

POST /sso/login — body: [email protected]&password=secret
Header: Authorization: SSO-Broker MY_BROKER:TOKEN

On success WebGuard returns the user profile (200). The session is now shared — any other broker using the same SSO server will see this user as logged in via /sso/verify.
4
(Optional) Issue a short-lived JWT
The broker can request a JWT for the authenticated user:

GET /sso/token — Header: Authorization: SSO-Broker MY_BROKER:TOKEN

Returns { "token": "eyJ...", "expires_in": 3600 }. Use this JWT to authenticate calls to WebGuard's REST API or other services.
5
Broker logs the user out
POST /sso/logout — Header: Authorization: SSO-Broker MY_BROKER:TOKEN

Destroys the SSO session. All brokers sharing that session will immediately see the user as logged out on the next /sso/verify call.

Endpoints Reference

MethodEndpointAuth HeaderDescription
GET/sso/attachLink broker token to SSO session (browser redirect)
GET/sso/verifySSO-BrokerReturns logged-in user (200) or 204 if not authenticated
POST/sso/loginSSO-BrokerAuthenticate user with email + password
POST/sso/logoutSSO-BrokerDestroy SSO session
GET/sso/userInfoSSO-BrokerAlias for /sso/verify
GET/sso/tokenSSO-BrokerIssue a short-lived JWT for the authenticated user

Authorization Header Format

HTTP
Authorization: SSO-Broker MY_BROKER:TOKEN

Checksum Calculation (attach)

The checksum sent to /sso/attach must be computed as:

PHP
$checksum = hash_hmac('sha256', 'attach' . $token, $secretKey . $broker);

User Profile Payload

Returned by /sso/verify, /sso/login, and /sso/userInfo:

JSON
{
  "token":      "abc123...",
  "first_name": "John",
  "last_name":  "Doe",
  "email":      "[email protected]",
  "picture":    "https://...",
  "language":   "en",
  "country":    "US",
  "status":     1,
  "group":      "115b5ad39b853084209caf6824224f6b"
}

JWT Token Response

JSON
{
  "token":      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_in": 3600
}
Security notes:
  • The broker identifier must be alphanumeric (max 64 chars). The token must be 8–128 alphanumeric chars.
  • All SSO endpoints return 503 if SSO is disabled in settings.
  • Blocked or inactive users are rejected at login.
  • The JWT lifetime is configured via Settings → SSO → Token Lifetime (default: 3600 s).

Notifications

Send notifications via Email, SMS, and WhatsApp (new in v3.0.0).

WebGuard's notification engine allows sending templated messages to users across multiple channels. Templates are managed at Settings → Templates.

ChannelConfigurationv3.0.0
Email (SMTP)Settings → EmailAvailable
SMS (Twilio / SMPP)Settings → SMSAvailable
WhatsAppSettings → WhatsAppNEW
In-appBuilt-inAvailable

Sending a Notification Programmatically

PHP
$notif = new \App\Models\NotificationModel();
$notif->send([
    'recipient' => $userToken,
    'template' => 'welcome',
    'channel'  => ['email', 'whatsapp'],
    'data'     => ['name' => $user['first_name']],
]);

Permissions & User Groups

Control what each user group can access throughout the application.

WebGuard uses a group-based permission system. Each user belongs to a group, and each group has a set of allowed controller actions stored as JSON in the user_group table's rules column.

Permission Structure

JSON — rules column
{
  "User": ["index", "add", "edit", "store", "delete", "impersonate"],
  "Settings": ["index", "store", "oauth", "module"],
  "Activity": ["index"]
}

Each key is a controller name and each value is an array of allowed method names. The menu and UI elements are automatically hidden for methods the user's group does not have access to.

Add-on hooks also respect this system. A hook with "permission": "Task" in app.json will only be visible to groups that have Task in their rules.

API Reference

Complete list of available REST API endpoints.

Authentication

POST/api/auth/loginGet JWT token
POST/api/auth/refreshRefresh JWT token
POST/api/auth/logoutInvalidate token

Users

GET/api/usersList all users
GET/api/users/{token}Get single user
POST/api/usersCreate user
PUT/api/users/{token}Update user
DELETE/api/users/{token}Delete user

Groups

GET/api/groupsList all groups
GET/api/groups/{token}Get single group

Profile

GET/api/profileGet current user profile
PUT/api/profileUpdate current user profile

Notifications

GET/api/notificationsList notifications
POST/api/notificationsSend notification
All endpoints except /api/auth/login require a valid Bearer token in the Authorization header.

Configuration Reference

Key environment variables and configuration options.

KeyDefaultDescription
CI_ENVIRONMENTproductionSet to development to show errors
app.baseURLFull URL including trailing slash
app.appTimezoneUTCPHP timezone for dates
demo.modefalsePrevent data mutation in demo
theme.backend.paththemes/backend/focus2/Active backend theme path
jwt.secretSecret key for JWT signing
jwt.ttl3600Token TTL in seconds

Changelog

Release history for WebGuard.

v3.0.0 Latest June 2026
  • Add-on / Hook system with group-based permission control
  • WhatsApp notification channel
  • Storage gateway abstraction layer
  • Impersonate user with full session restore (including token)
  • 12 new interface languages
  • Custom error pages: 400, 403, 404, 503
  • SSO token-based authentication flow
  • Module permission management per user group
  • Redesigned admin UI with modern components
  • JWT helper rewritten with better token validation
  • SweetAlert upgraded to v2 across all views
  • Profile page Select2 dropdowns now load correctly
  • Datatable columns support hook-injected data
  • Throttler filter on all auth routes
  • Demo mode prevents data mutation
  • PHP 8.1+ required (raised from 7.4)
  • CodeIgniter upgraded to 4.6+
  • Add-on hooks hidden by default when rules is empty
  • REST API with JWT authentication
  • Two-Factor Authentication (TOTP)
  • OAuth social login (Google, Facebook, GitHub)
  • Code Maker tool for CRUD scaffolding
  • Menu editor with drag-and-drop
  • Group permissions now stored as JSON rules
  • Notification system with email and SMS
  • CSRF protection on all forms
  • Fixed session fixation vulnerability on login
  • Multi-language support (EN, PT, ES)
  • Dark mode toggle
  • Improved responsive layout for mobile
  • Password reset token expiry now enforced
  • Initial release on CodeCanyon
  • Login, registration, password recovery
  • User management with group permissions
  • Activity log
  • Profile with avatar upload
  • Built on CodeIgniter 4

Support

Get help with WebGuard installation, customization, and bugs.

Before opening a ticket: Please include your WebGuard version, PHP version, CI version, the exact error message, and steps to reproduce the issue.